Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable, unauthenticated endpoint with no user interaction; scope unchanged; limited integrity and availability impact only, no confidentiality exposure.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.
AnalysisAI
Unauthenticated broken access control in the WooCommerce Anti-Fraud WordPress plugin by OPMC (versions ≤ 7.2.6) allows remote unauthenticated attackers to perform unauthorized actions against the anti-fraud layer of WooCommerce stores. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, and CWE-862 (Missing Authorization) identifies the root cause as absent capability or permission checks on one or more plugin endpoints. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation beyond the target WordPress site having the WooCommerce Anti-Fraud plugin (≤ 7.2.6) installed and active - the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote unauthenticated exploitation against default plugin configurations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score is supported by a straightforward vector: network-reachable (AV:N), low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), making this trivially exploitable at scale from any internet-connected system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request directly to an unprotected WooCommerce Anti-Fraud plugin endpoint - such as an AJAX handler or REST route - that lacks authorization checks. By invoking this endpoint, the attacker manipulates the plugin's fraud scoring rules or flags legitimate orders as non-fraudulent, causing the WooCommerce store to process orders that would otherwise be blocked, or disrupting the availability of anti-fraud screening for active transactions. … |
| Remediation | The primary recommended action is to update the WooCommerce Anti-Fraud plugin to a version beyond 7.2.6 once a patched release is published by OPMC; administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woocommerce-anti-fraud/vulnerability/wordpress-woocommerce-anti-fraud-plugin-7-2-6-broken-access-control-vulnerability for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37615