Skip to main content

WordPress EUVDEUVD-2026-12764

| CVE-2026-1926 MEDIUM
Missing Authorization (CWE-862)
2026-03-18 Wordfence
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 04:30 euvd
EUVD-2026-12764
Analysis Generated
Mar 18, 2026 - 04:30 vuln.today
CVE Published
Mar 18, 2026 - 03:37 nvd
MEDIUM 5.3

DescriptionCVE.org

The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wps_sfw_admin_cancel_susbcription() function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the init action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via wp_verify_nonce(). This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the wps_subscription_id parameter.

AnalysisAI

The Subscriptions for WooCommerce plugin contains a critical authentication bypass vulnerability in the subscription cancellation function that allows unauthenticated attackers to cancel any active WooCommerce subscription. The vulnerability affects all versions up to and including 1.9.2 of the plugin (CPE: cpe:2.3:a:wpswings:subscriptions_for_woocommerce:*:*:*:*:*:*:*:*) and stems from a missing capability check combined with improper nonce validation. An attacker can exploit this with a simple GET request, requiring no special privileges or user interaction, resulting in unauthorized modification of subscription data with a CVSS score of 5.3 and confirmed active exploitation potential.

Technical ContextAI

The vulnerability resides in the WordPress plugin architecture where the wps_sfw_admin_cancel_susbcription() function is improperly hooked to the init action without adequate security controls. The root cause falls under CWE-862 (Missing Authorization), where the function performs only a non-empty check on the nonce parameter (isset() check) but fails to invoke the critical wp_verify_nonce() function required by WordPress security standards. The plugin is built for WooCommerce, a WordPress e-commerce framework, and the vulnerability allows manipulation of subscription data through the wps_subscription_id GET parameter. This represents a fundamental failure in the WordPress security model where admin-level operations must be protected by both authentication (ensuring the user is logged in) and authorization (ensuring the user has the manage_options or equivalent capability), neither of which are enforced here.

RemediationAI

Immediately upgrade the Subscriptions for WooCommerce plugin to version 1.9.3 or later, which includes proper nonce validation via wp_verify_nonce() and capability checks via current_user_can(). The patch is available through the WordPress plugin repository. For users unable to update immediately, implement a temporary workaround by disabling the plugin until patching is complete, as the vulnerability is unauthenticated and trivial to exploit. Additionally, site administrators should review WooCommerce subscription logs and audit trails for evidence of unauthorized cancellations during the vulnerability window, and consider implementing a Web Application Firewall (WAF) rule to block requests containing wps_subscription_id parameters from non-authenticated sessions. See Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/eabfdf29-eca9-4e4b-b809-23a83f5a91ac?source=cve for additional details and confirmation of patch deployment.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-12764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy