Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
The Barcode Scanner (+Mobile App) - Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.
AnalysisAI
Privilege escalation to WordPress administrator via insecure token-based authentication in Barcode Scanner (+Mobile App) plugin versions ≤1.11.0 allows remote unauthenticated attackers to gain full administrative control. The plugin leaks valid admin authentication tokens through the 'barcodeScannerConfigs' action and accepts Base64-encoded user IDs without validation, enabling attackers to spoof admin credentials, extract legitimate tokens, and modify any user's 'wp_capabilities' meta to grant themselves administrator privileges. CVSS 9.8 (Critical) with network vector, low complexity, and no authentication required. Vendor patch deployed in changeset 3506824.
Technical ContextAI
This vulnerability affects UKRSolution's Barcode Scanner WordPress plugin, a POS and inventory management system. The flaw stems from CWE-269 (Improper Privilege Management) where the plugin implements a custom token-based authentication mechanism that fatally trusts client-supplied user identification. The authentication flow accepts a Base64-encoded user ID in a token parameter without server-side validation of ownership, effectively allowing session hijacking through identifier spoofing. The plugin's 'barcodeScannerConfigs' AJAX action leaks valid authentication tokens to unauthenticated callers, while the 'setUserMeta' action permits arbitrary WordPress user metadata modification without meta-key restrictions. This combination creates a complete authentication bypass chain: an attacker can impersonate any user (including administrators) by Base64-encoding their user ID, retrieve that user's legitimate authentication token through the config leak, then use the token to directly manipulate WordPress core user capabilities stored in the wp_usermeta table.
RemediationAI
Immediately update to the patched version available via WordPress plugin repository changeset 3506824 or later (https://plugins.trac.wordpress.org/changeset/3506824/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders). WordPress administrators should navigate to Dashboard > Plugins > Updates and apply available updates for Barcode Scanner plugin. If immediate patching is not feasible, disable the plugin entirely until update can be applied-the authentication bypass allows complete site takeover, making compensating controls insufficient. After patching, conduct a security audit: review all WordPress user accounts for unexpected administrator-level users created during the vulnerability window, examine recent plugin-related activity in logs, check wp_usermeta table for suspicious 'wp_capabilities' modifications (SELECT * FROM wp_usermeta WHERE meta_key = 'wp_capabilities' ORDER BY umeta_id DESC LIMIT 50), and consider rotating authentication credentials for all administrative users. The patch restricts meta-key access in setUserMeta and implements proper token validation, but pre-existing compromised accounts will persist. For complete incident response guidance, consult Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=cve.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23136
GHSA-p8x8-wgf2-jrjm