Skip to main content

WordPress EUVDEUVD-2026-15568

| CVE-2026-24372 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-03-25 Patchstack
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15568
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.

AnalysisAI

An authentication bypass vulnerability exists in WP Swings Subscriptions for WooCommerce plugin versions up to and including 1.8.10, allowing attackers to manipulate input data to spoof authentication credentials and bypass access controls. This vulnerability affects WordPress installations using the affected plugin and could allow unauthenticated attackers to gain unauthorized access to subscription management functionality. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned EUVD-2026-15568, indicating active tracking by European vulnerability databases.

Technical ContextAI

The vulnerability is rooted in CWE-290 (Authentication by Spoofing), which represents improper verification of authentication mechanisms where user-controlled input is insufficiently validated before being used for authentication decisions. In the context of WP Swings Subscriptions for WooCommerce (CPE: cpe:2.3:a:wp_swings:subscriptions_for_woocommerce:*:*:*:*:*:*:*:*), the plugin fails to properly sanitize and validate authentication-related input data, specifically subscription-related parameters. This allows attackers to manipulate requests to the plugin's authentication handlers, bypassing the legitimate credential verification process that should govern access to subscription management features. The vulnerability likely resides in custom authentication hooks or validation functions that process subscription-related requests without adequate nonce verification, capability checks, or input sanitization.

RemediationAI

Update the WP Swings Subscriptions for WooCommerce plugin to a version later than 1.8.10 immediately via the WordPress plugin management interface or directly from the plugin repository. Verify that version 1.8.11 or later is installed, as this should contain the authentication validation fixes. Until patching is completed, implement WordPress security measures including: enforcing strong user account passwords and two-factor authentication on administrator accounts, restricting direct access to WooCommerce subscription management pages via .htaccess or WAF rules, and monitoring access logs for suspicious requests to subscription-related endpoints. Review subscription modification audit logs to detect any unauthorized changes made during the vulnerability window. For detailed patch information and confirmation of fix availability, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-15568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy