Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-accessible authentication bypass with no credentials required; C:L/I:L reflects limited plugin-scope data exposure with no availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
AnalysisAI
Broken authentication in WooCommerce Dropshipping plugin versions 5.2.4 and earlier allows unauthenticated remote attackers to bypass authentication controls via an alternate path or channel (CWE-288), yielding partial confidentiality and integrity impact on affected WordPress e-commerce installations. Reported by Patchstack, the flaw is confirmed at CVSS 6.5 Medium with a fully network-accessible, zero-complexity attack path requiring no privileges or user interaction. No public exploit code or CISA KEV listing exists at time of analysis, moderating real-world urgency despite the low exploitation barrier.
Technical ContextAI
WooCommerce Dropshipping is a WordPress plugin developed by OPMC (CPE: cpe:2.3:a:opmc:woocommerce_dropshipping:*:*:*:*:*:*:*:*) that extends WooCommerce stores with supplier and dropshipping management capabilities. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) describes a root cause where a system implements an authentication gate on the primary path but exposes a secondary route - such as a REST API endpoint, AJAX action, or internal callback - that omits or insufficiently enforces the same checks. In this plugin's context, a WordPress AJAX hook or REST route likely performs privileged operations (e.g., accessing supplier data, order details, or plugin settings) while relying on a flawed or absent nonce/capability check, permitting access without a valid WordPress session.
RemediationAI
No exact patched version is confirmed from available data - the fix version must be verified via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woocommerce-dropshipping/vulnerability/wordpress-woocommerce-dropshipping-plugin-5-2-4-broken-authentication-vulnerability before upgrading. Store administrators should immediately check the WordPress plugin dashboard for an update to WooCommerce Dropshipping beyond version 5.2.4 and apply it. As a compensating control, if no patched version is yet available, consider deactivating the plugin until a fix is released - trade-off: dropshipping automation will cease, requiring manual supplier management. Alternatively, if the vulnerable functionality can be isolated to specific REST or AJAX routes via server-level configuration (e.g., nginx location blocks or WAF rules targeting the plugin's slug), restricting those endpoints to authenticated sessions adds a layer of defense without full deactivation.
More in Woocommerce Dropshipping
View allThe WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using
Missing Authorization vulnerability in OPMC WooCommerce Dropshipping.0.4. Rated medium severity (CVSS 5.3), this vulnera
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37614