Skip to main content

WooCommerce POS CVE-2026-52711

| EUVDEUVD-2026-37048 HIGH
Missing Authorization (CWE-862)
2026-06-16 Patchstack GHSA-6g34-fq4g-j6p6
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress endpoint with missing authorization (PR:N, AV:N, AC:L, UI:N); broken access control leaks protected data so C:H, with no write or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 10:24 vuln.today
CVE Published
Jun 16, 2026 - 09:00 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.

AnalysisAI

Unauthorized information disclosure in the WooCommerce POS WordPress plugin (versions 1.8.14 and earlier) allows remote unauthenticated attackers to access protected resources due to missing authorization checks. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis. The flaw was disclosed by Patchstack and aligns with CWE-862 (Missing Authorization), a common pattern in WordPress plugin endpoints that omit capability checks.

Technical ContextAI

WooCommerce POS (kilbot/woocommerce-pos per the CPE cpe:2.3:a:kilbot:woocommerce_pos) is a point-of-sale extension for WooCommerce that exposes additional REST or AJAX endpoints to manage orders, products, and customer data inside the WordPress admin and storefront contexts. CWE-862 (Missing Authorization) indicates that one or more of these endpoints performs its action without verifying the caller's WordPress capability, nonce, or user role - typically by omitting a permission_callback in register_rest_route() or skipping current_user_can() checks. Because WooCommerce stores PII and order data, broken access control on such endpoints can leak sensitive commercial information without any credentials.

RemediationAI

Upstream fix available per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/woocommerce-pos/vulnerability/wordpress-woocommerce-pos-plugin-1-8-14-broken-access-control-vulnerability) but a released patched version is not independently confirmed in the input; administrators should update WooCommerce POS to any version higher than 1.8.14 once the developer publishes it on wordpress.org and verify the changelog references this access control fix. Until the upgrade is applied, compensating controls include deactivating the WooCommerce POS plugin entirely if POS functionality is not currently in use (no functional impact for non-POS stores), restricting access to the WooCommerce POS REST/AJAX endpoints at the web server or WAF layer (which may break legitimate POS terminals), and enabling Patchstack/Wordfence virtual patching rules (which adds an external dependency but blocks the vulnerable path). Monitor WordPress access logs for anomalous unauthenticated requests to wp-json or admin-ajax routes containing 'woocommerce-pos' or 'wcpos'.

Share

CVE-2026-52711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy