What is the CVSS score of CVE-2026-42745?

CVE-2026-42745 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Smart Online Order are affected by CVE-2026-42745?

The ZAYTECH 'Smart Online Order for Clover' WordPress plugin (versions through 1.6.0) contains an authentication bypass that permits unauthenticated attackers to access protected order management…

Smart Online Order CVE-2026-42745

Q: How to fix or mitigate CVE-2026-42745?

24 hours: Disable or uninstall the plugin from all WordPress instances running version 1.6.0 or earlier. 7 days: Confirm removal and audit server access logs for unauthorized access to order endpoints during the exposure window. 30 days: Evaluate and deploy an alternative payment processing solution; ensure all Clover merchant instances are patched or have a validated compensating control in place.

EUVD-2026-32194 HIGH

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2026-05-27 audit@patchstack.com

GHSA-fw9h-5wwp-r96p

Authentication Bypass

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 20:55 vuln.today

DescriptionNVD

Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.

AnalysisAI

Authentication bypass in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions up to and including 1.6.0) lets remote, unauthenticated attackers reach protected functionality through an alternate code path that fails to enforce the plugin's normal authentication checks (CWE-288). Exploitation requires no privileges, no user interaction, and low attack complexity, but CVSS scopes the impact as limited (low confidentiality, integrity, and availability). …

RemediationAI

24 hours: Disable or uninstall the plugin from all WordPress instances running version 1.6.0 or earlier. 7 days: Confirm removal and audit server access logs for unauthorized access to order endpoints during the exposure window. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42745 vulnerability details – vuln.today

Back