Skip to main content

Shoppable Images Lite CVE-2026-57649

| EUVDEUVD-2026-39764 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-5p8m-h8vr-j4rc
4.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable WordPress endpoint (AV:N), trivial to exploit (AC:L), subscriber account required (PR:L); only limited read-only data exposure with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:10 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions.

AnalysisAI

Broken access control in the Shoppable Images Lite WordPress plugin (versions 1.3 and below) allows subscriber-level authenticated users to perform actions or access data beyond their authorized scope. Rooted in CWE-862 (Missing Authorization), the plugin fails to verify whether the requesting user holds sufficient privileges before executing restricted functionality. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain subscriber WordPress credentials
Exploit
Send crafted request to unprotected plugin endpoint
Execution
Bypass authorization check
Impact
Read restricted shoppable image configuration or data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber-level account on the target site (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.3 (Medium) accurately reflects a constrained impact profile: confidentiality is partially affected (C:L) while integrity and availability are unaffected, and exploitation requires a valid subscriber-level WordPress account (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or logs in as a subscriber on a target WordPress site running Shoppable Images Lite 1.3 or earlier. The attacker sends a crafted authenticated HTTP request directly to a vulnerable plugin endpoint - such as an unprotected AJAX action - bypassing the intended authorization check. …
Remediation Upstream fix availability is not independently confirmed from the provided data - no exact patched version number was included in the advisory reference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy