Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Network vector confirmed by web plugin context; AC:H retained for broken auth bypass requiring specific precondition; PR:N per unauthenticated classification; C:L/I:L per bounded data exposure with no availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Authentication in ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce <= 2.2.0 versions.
AnalysisAI
Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an internet-accessible WordPress installation with both WooCommerce and the ALD plugin (version <= 2.2.0) installed and active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The overall real-world risk is moderate-to-low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a WooCommerce store running the vulnerable ALD plugin version by inspecting page source or plugin fingerprinting. By sending a crafted HTTP request to a plugin-registered AJAX or REST endpoint - constructed to satisfy the high-complexity precondition, such as a specific parameter set or token manipulation - the attacker bypasses the authentication check and retrieves or modifies limited plugin-controlled data such as dropshipping order details or AliExpress configuration values. … |
| Remediation | Update the ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce plugin to a version above 2.2.0 as soon as a patched release is confirmed available from VillaTheme via the WordPress plugin repository or the vendor site. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-1390 – Weak Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41351
GHSA-h53w-vp9x-9hfp