Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Network-accessible WordPress plugin endpoint (AV:N); requires authenticated low-privilege account (PR:L); content deletion produces limited integrity and availability impact only.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Saad Iqbal License Manager for WooCommerce license-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects License Manager for WooCommerce: from n/a through <= 3.0.17.
AnalysisAI
Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authenticated low-privilege users to perform arbitrary content deletion without proper permission checks. The flaw stems from CWE-862, where sensitive plugin actions are accessible to any authenticated user regardless of their assigned role. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum a low-privilege role such as subscriber or customer (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.4 (Medium) reflects a network-accessible (AV:N), low-complexity (AC:L) attack requiring a low-privilege authenticated account (PR:L) with no user interaction (UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privilege WordPress account (e.g., subscriber or customer) on a target site running License Manager for WooCommerce ≤3.0.17. The attacker then sends crafted HTTP requests to the plugin's unprotected endpoint, invoking deletion operations against arbitrary content without triggering any authorization failure. … |
| Remediation | The primary remediation is to update the License Manager for WooCommerce plugin beyond version 3.0.17 via the WordPress plugin dashboard or by downloading the latest release from the plugin repository; the exact fixed version was not independently confirmed in the available data, so verify the changelog prior to updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LicenseManager Lic
The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing c
Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43437