Skip to main content

Autoship Cloud CVE-2026-24527

| EUVDEUVD-2026-31758 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-249v-wcw9-x5fj
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:13 vuln.today
CVE Published
May 25, 2026 - 21:40 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.14.0.

AnalysisAI

Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.

Technical ContextAI

The affected component is a WordPress plugin - Autoship Cloud for WooCommerce Subscription Products by Patterns in the Cloud - identified by CPE cpe:2.3:a:patterns_in_the_cloud:autoship_cloud_for_woocommerce_subscription_products:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), a class of flaw where code executes privileged operations without first confirming the requesting user holds the necessary WordPress capability or role. In the WordPress/WooCommerce ecosystem, this typically manifests as AJAX handlers, REST API endpoints, or admin-action hooks that lack a current_user_can() or nonce-plus-capability check, allowing any logged-in user - including subscribers or customers - to invoke functionality intended only for shop managers or administrators. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the attack is fully network-exploitable with no interaction required beyond holding a basic authenticated session.

RemediationAI

The primary remediation is to update the Autoship Cloud for WooCommerce Subscription Products plugin to a version beyond 2.14.0. Note that no exact patched release version is confirmed from the available input data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/autoship-cloud/vulnerability/wordpress-autoship-cloud-for-woocommerce-subscription-products-plugin-2-14-0-broken-access-control-vulnerability should be consulted for the specific fixed version before upgrading. As a compensating control pending patching, site administrators can restrict WordPress user registration or limit the creation of low-privilege accounts (subscriber/customer roles) to reduce the pool of potential authenticated attackers; note this may impact legitimate WooCommerce storefront functionality. Additionally, a Web Application Firewall rule scoped to the plugin's specific AJAX or REST endpoints can add a detection layer, though the exact vulnerable endpoint is not disclosed in available data.

Share

CVE-2026-24527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy