Skip to main content

WooCommerce Cart Abandonment Recovery CVE-2026-39470

| EUVDEUVD-2026-36934 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-rwg3-rwpr-5x3m
7.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable wp-admin endpoint (AV:N/AC:L), requires an existing shop_manager account (PR:H), no victim interaction (UI:N), and full admin takeover yields C:H/I:H/A:H within the same WordPress instance (S:U).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 15, 2026 - 22:31 vuln.today
Patch available
Jun 15, 2026 - 22:02 EUVD
CVE Published
Jun 15, 2026 - 20:17 cve.org
HIGH 7.2

DescriptionCVE.org

Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.

AnalysisAI

Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.

Technical ContextAI

The affected component is the WooCommerce Cart Abandonment Recovery plugin (CPE cpe:2.3:a:brainstorm_force:woocommerce_cart_abandonment_recovery), a Brainstorm Force / Cartflows WordPress extension for WooCommerce that tracks abandoned carts and triggers recovery emails. The root cause class is CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or accepts a privilege level that exceeds what the calling user's WordPress role should permit. In WordPress, the shop_manager role is intentionally scoped to product/order management and should not be able to reach administrator-only capabilities; a CWE-266 flaw in a plugin endpoint typically arises from missing or mis-scoped current_user_can() checks, role/capability mapping errors, or trusting client-supplied role data in an AJAX/REST handler.

RemediationAI

Vendor-released patch: upgrade the WooCommerce Cart Abandonment Recovery plugin to version 2.1.0 or later via the WordPress plugin updater on every affected site, per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-cart-abandonment-recovery/vulnerability/wordpress-woocommerce-cart-abandonment-recovery-plugin-2-1-0-privilege-escalation-vulnerability. If immediate patching is not possible, deactivate and remove the plugin until it can be updated (this disables abandoned-cart recovery emails and tracking, so revenue-recovery campaigns will pause); alternatively, temporarily reduce or revoke the shop_manager role from non-essential users and audit recent administrator account creations and capability changes, accepting that this restricts day-to-day store operations for those accounts. As a network-layer compensating control, restrict /wp-admin and the plugin's AJAX/REST endpoints to known IP ranges via the web server or WAF, noting this can block legitimate remote staff.

Share

CVE-2026-39470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy