Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-accessible unauthenticated IDOR on standard WooCommerce plugin endpoints; manipulation-only impact supports I:L/A:L with C:N pending vendor confirmation.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.
AnalysisAI
Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required - the CVSS vector explicitly sets PR:N and the vulnerability is tagged as an authentication bypass, confirming unauthenticated exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 base score of 6.5 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L reflects a low-complexity, unauthenticated, network-accessible attack with limited but real impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a series of HTTP requests to the License Manager for WooCommerce plugin's public endpoints, substituting sequential or guessed license object identifiers in request parameters. The plugin performs no authorization check on the supplied identifier, allowing the attacker to reference and modify or invalidate license records belonging to other customers. … |
| Remediation | Update License Manager for WooCommerce to a version above 3.0.15 as soon as a patched release is available from the plugin author (mycred). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LicenseManager Lic
The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing c
Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authentic
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39376
GHSA-mfcp-5rpw-xxc5