Skip to main content

License Manager for WooCommerce CVE-2026-56013

| EUVDEUVD-2026-39376 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-25 Patchstack GHSA-mfcp-5rpw-xxc5
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-accessible unauthenticated IDOR on standard WooCommerce plugin endpoints; manipulation-only impact supports I:L/A:L with C:N pending vendor confirmation.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 14:37 vuln.today
CVE Published
Jun 25, 2026 - 13:12 cve.org
MEDIUM 6.5

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.

AnalysisAI

Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WooCommerce store running plugin <= 3.0.15
Delivery
Send unauthenticated HTTP request with manipulated license object ID
Exploit
Plugin skips authorization check
Execution
Attacker references arbitrary license record
Persist
Modify or invalidate target customer license
Impact
Disrupt legitimate software access

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS vector explicitly sets PR:N and the vulnerability is tagged as an authentication bypass, confirming unauthenticated exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 6.5 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L reflects a low-complexity, unauthenticated, network-accessible attack with limited but real impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a series of HTTP requests to the License Manager for WooCommerce plugin's public endpoints, substituting sequential or guessed license object identifiers in request parameters. The plugin performs no authorization check on the supplied identifier, allowing the attacker to reference and modify or invalidate license records belonging to other customers. …
Remediation Update License Manager for WooCommerce to a version above 3.0.15 as soon as a patched release is available from the plugin author (mycred). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy