Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress endpoint with missing authorization (PR:N, AV:N, AC:L, UI:N); broken access control leaks protected data so C:H, with no write or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.
AnalysisAI
Unauthorized information disclosure in the WooCommerce POS WordPress plugin (versions 1.8.14 and earlier) allows remote unauthenticated attackers to access protected resources due to missing authorization checks. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis. The flaw was disclosed by Patchstack and aligns with CWE-862 (Missing Authorization), a common pattern in WordPress plugin endpoints that omit capability checks.
Technical ContextAI
WooCommerce POS (kilbot/woocommerce-pos per the CPE cpe:2.3:a:kilbot:woocommerce_pos) is a point-of-sale extension for WooCommerce that exposes additional REST or AJAX endpoints to manage orders, products, and customer data inside the WordPress admin and storefront contexts. CWE-862 (Missing Authorization) indicates that one or more of these endpoints performs its action without verifying the caller's WordPress capability, nonce, or user role - typically by omitting a permission_callback in register_rest_route() or skipping current_user_can() checks. Because WooCommerce stores PII and order data, broken access control on such endpoints can leak sensitive commercial information without any credentials.
RemediationAI
Upstream fix available per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/woocommerce-pos/vulnerability/wordpress-woocommerce-pos-plugin-1-8-14-broken-access-control-vulnerability) but a released patched version is not independently confirmed in the input; administrators should update WooCommerce POS to any version higher than 1.8.14 once the developer publishes it on wordpress.org and verify the changelog references this access control fix. Until the upgrade is applied, compensating controls include deactivating the WooCommerce POS plugin entirely if POS functionality is not currently in use (no functional impact for non-POS stores), restricting access to the WooCommerce POS REST/AJAX endpoints at the web server or WAF layer (which may break legitimate POS terminals), and enabling Patchstack/Wordfence virtual patching rules (which adds an external dependency but blocks the vulnerable path). Monitor WordPress access logs for anomalous unauthenticated requests to wp-json or admin-ajax routes containing 'woocommerce-pos' or 'wcpos'.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37048
GHSA-6g34-fq4g-j6p6