Skip to main content

WordPress CVE-2026-4880

| EUVDEUVD-2026-23136 CRITICAL
Improper Privilege Management (CWE-269)
2026-04-15 Wordfence GHSA-p8x8-wgf2-jrjm
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 00:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 00:22 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 00:20 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 23:45 euvd
EUVD-2026-23136
Analysis Generated
Apr 15, 2026 - 23:45 vuln.today
CVE Published
Apr 15, 2026 - 23:25 nvd
CRITICAL 9.8

DescriptionCVE.org

The Barcode Scanner (+Mobile App) - Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.

AnalysisAI

Privilege escalation to WordPress administrator via insecure token-based authentication in Barcode Scanner (+Mobile App) plugin versions ≤1.11.0 allows remote unauthenticated attackers to gain full administrative control. The plugin leaks valid admin authentication tokens through the 'barcodeScannerConfigs' action and accepts Base64-encoded user IDs without validation, enabling attackers to spoof admin credentials, extract legitimate tokens, and modify any user's 'wp_capabilities' meta to grant themselves administrator privileges. CVSS 9.8 (Critical) with network vector, low complexity, and no authentication required. Vendor patch deployed in changeset 3506824.

Technical ContextAI

This vulnerability affects UKRSolution's Barcode Scanner WordPress plugin, a POS and inventory management system. The flaw stems from CWE-269 (Improper Privilege Management) where the plugin implements a custom token-based authentication mechanism that fatally trusts client-supplied user identification. The authentication flow accepts a Base64-encoded user ID in a token parameter without server-side validation of ownership, effectively allowing session hijacking through identifier spoofing. The plugin's 'barcodeScannerConfigs' AJAX action leaks valid authentication tokens to unauthenticated callers, while the 'setUserMeta' action permits arbitrary WordPress user metadata modification without meta-key restrictions. This combination creates a complete authentication bypass chain: an attacker can impersonate any user (including administrators) by Base64-encoding their user ID, retrieve that user's legitimate authentication token through the config leak, then use the token to directly manipulate WordPress core user capabilities stored in the wp_usermeta table.

RemediationAI

Immediately update to the patched version available via WordPress plugin repository changeset 3506824 or later (https://plugins.trac.wordpress.org/changeset/3506824/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders). WordPress administrators should navigate to Dashboard > Plugins > Updates and apply available updates for Barcode Scanner plugin. If immediate patching is not feasible, disable the plugin entirely until update can be applied-the authentication bypass allows complete site takeover, making compensating controls insufficient. After patching, conduct a security audit: review all WordPress user accounts for unexpected administrator-level users created during the vulnerability window, examine recent plugin-related activity in logs, check wp_usermeta table for suspicious 'wp_capabilities' modifications (SELECT * FROM wp_usermeta WHERE meta_key = 'wp_capabilities' ORDER BY umeta_id DESC LIMIT 50), and consider rotating authentication credentials for all administrative users. The patch restricts meta-key access in setUserMeta and implements proper token validation, but pre-existing compromised accounts will persist. For complete incident response guidance, consult Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=cve.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy