Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.
AnalysisAI
Authentication bypass in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions up to and including 1.6.0) lets remote, unauthenticated attackers reach protected functionality through an alternate code path that fails to enforce the plugin's normal authentication checks (CWE-288). Exploitation requires no privileges, no user interaction, and low attack complexity, but CVSS scopes the impact as limited (low confidentiality, integrity, and availability). There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no current evidence of widespread exploitation.
Technical ContextAI
The affected component is the WordPress plugin "Smart Online Order for Clover" (slug clover-online-orders), which integrates the Clover point-of-sale/online-ordering platform into WordPress storefronts. The root cause is CWE-288, Authentication Bypass Using an Alternate Path or Channel: the plugin exposes a secondary access path (commonly an AJAX action, REST route, or directly invokable handler in WordPress plugins) that does not apply the same identity/authorization verification as the primary, intended authentication flow. As a result, requests routed through that alternate channel are processed as if authenticated. No CPE string was provided in the source data, so exact component-level matching beyond the plugin name and version is not available; the affected-version data comes from the ENISA EUVD record (EUVD-2026-32194).
RemediationAI
No vendor-released patch version is identified in the available data, which states only that versions up to and including 1.6.0 are affected; therefore the primary action is to upgrade to a release later than 1.6.0 once ZAYTECH publishes one (monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-broken-authentication-vulnerability?_s_id=cve and the plugin's WordPress.org page for the fixed version). Until a fixed version is confirmed, apply compensating controls: deactivate and remove the plugin if online ordering is not business-critical (trade-off: disables Clover ordering functionality on the site); deploy a virtual patch / WAF rule (Patchstack and similar WordPress firewalls publish signatures for this class) to block requests to the vulnerable alternate endpoint (trade-off: depends on accurate rule coverage and may need tuning to avoid blocking legitimate ordering traffic); and restrict network/access to the plugin's endpoints where feasible (trade-off: may interfere with legitimate customer access if the storefront is public-facing).
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32194
GHSA-fw9h-5wwp-r96p