Skip to main content

License Manager for WooCommerce CVE-2026-61958

| EUVDEUVD-2026-43437 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
5.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-accessible WordPress plugin endpoint (AV:N); requires authenticated low-privilege account (PR:L); content deletion produces limited integrity and availability impact only.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:16 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 5.4

DescriptionCVE.org

Missing Authorization vulnerability in Saad Iqbal License Manager for WooCommerce license-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects License Manager for WooCommerce: from n/a through <= 3.0.17.

AnalysisAI

Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authenticated low-privilege users to perform arbitrary content deletion without proper permission checks. The flaw stems from CWE-862, where sensitive plugin actions are accessible to any authenticated user regardless of their assigned role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain low-privilege WordPress account
Delivery
Identify plugin's unprotected deletion endpoint
Exploit
Send crafted HTTP request to endpoint
Execution
Bypass missing authorization check
Impact
Delete arbitrary plugin-managed content

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum a low-privilege role such as subscriber or customer (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.4 (Medium) reflects a network-accessible (AV:N), low-complexity (AC:L) attack requiring a low-privilege authenticated account (PR:L) with no user interaction (UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege WordPress account (e.g., subscriber or customer) on a target site running License Manager for WooCommerce ≤3.0.17. The attacker then sends crafted HTTP requests to the plugin's unprotected endpoint, invoking deletion operations against arbitrary content without triggering any authorization failure. …
Remediation The primary remediation is to update the License Manager for WooCommerce plugin beyond version 3.0.17 via the WordPress plugin dashboard or by downloading the latest release from the plugin repository; the exact fixed version was not independently confirmed in the available data, so verify the changelog prior to updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy