Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.
AnalysisAI
An authentication bypass vulnerability exists in WP Swings Subscriptions for WooCommerce plugin versions up to and including 1.8.10, allowing attackers to manipulate input data to spoof authentication credentials and bypass access controls. This vulnerability affects WordPress installations using the affected plugin and could allow unauthenticated attackers to gain unauthorized access to subscription management functionality. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned EUVD-2026-15568, indicating active tracking by European vulnerability databases.
Technical ContextAI
The vulnerability is rooted in CWE-290 (Authentication by Spoofing), which represents improper verification of authentication mechanisms where user-controlled input is insufficiently validated before being used for authentication decisions. In the context of WP Swings Subscriptions for WooCommerce (CPE: cpe:2.3:a:wp_swings:subscriptions_for_woocommerce:*:*:*:*:*:*:*:*), the plugin fails to properly sanitize and validate authentication-related input data, specifically subscription-related parameters. This allows attackers to manipulate requests to the plugin's authentication handlers, bypassing the legitimate credential verification process that should govern access to subscription management features. The vulnerability likely resides in custom authentication hooks or validation functions that process subscription-related requests without adequate nonce verification, capability checks, or input sanitization.
RemediationAI
Update the WP Swings Subscriptions for WooCommerce plugin to a version later than 1.8.10 immediately via the WordPress plugin management interface or directly from the plugin repository. Verify that version 1.8.11 or later is installed, as this should contain the authentication validation fixes. Until patching is completed, implement WordPress security measures including: enforcing strong user account passwords and two-factor authentication on administrator accounts, restricting direct access to WooCommerce subscription management pages via .htaccess or WAF rules, and monitoring access logs for suspicious requests to subscription-related endpoints. Review subscription modification audit logs to detect any unauthorized changes made during the vulnerability window. For detailed patch information and confirmation of fix availability, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15568