Skip to main content

ALD WooCommerce Plugin CVE-2026-57352

| EUVDEUVD-2026-41351 MEDIUM
Weak Authentication (CWE-1390)
2026-07-02 Patchstack GHSA-h53w-vp9x-9hfp
4.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Network vector confirmed by web plugin context; AC:H retained for broken auth bypass requiring specific precondition; PR:N per unauthenticated classification; C:L/I:L per bounded data exposure with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:36 vuln.today
CVE Published
Jul 02, 2026 - 11:15 cve.org
MEDIUM 4.8

DescriptionCVE.org

Unauthenticated Broken Authentication in ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce <= 2.2.0 versions.

AnalysisAI

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint target WordPress/WooCommerce instance
Delivery
Identify ALD plugin version <= 2.2.0
Exploit
Craft request satisfying AC:H bypass condition
Execution
Submit unauthenticated request to vulnerable endpoint
Impact
Access or modify limited plugin-controlled data

Vulnerability AssessmentAI

Exploitation Exploitation requires an internet-accessible WordPress installation with both WooCommerce and the ALD plugin (version <= 2.2.0) installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall real-world risk is moderate-to-low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a WooCommerce store running the vulnerable ALD plugin version by inspecting page source or plugin fingerprinting. By sending a crafted HTTP request to a plugin-registered AJAX or REST endpoint - constructed to satisfy the high-complexity precondition, such as a specific parameter set or token manipulation - the attacker bypasses the authentication check and retrieves or modifies limited plugin-controlled data such as dropshipping order details or AliExpress configuration values. …
Remediation Update the ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce plugin to a version above 2.2.0 as soon as a patched release is confirmed available from VillaTheme via the WordPress plugin repository or the vendor site. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy