Skip to main content

Shopwp EUVDEUVD-2026-20402

| CVE-2026-39701 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20402
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4.

AnalysisAI

Missing authorization in ShopWP WordPress plugin versions up to 5.2.4 allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability exposes functionality that should be restricted to authorized users but lacks proper permission validation, enabling attackers to perform unauthorized actions over the network without authentication. EPSS score of 0.02% (4th percentile) indicates low exploitation probability despite the network-accessible attack vector.

Technical ContextAI

ShopWP is a WordPress plugin for Shopify integration (CPE: cpe:2.3:a:andrew:shopwp:*:*:*:*:*:*:*:*) that bridges WordPress sites with Shopify commerce data. The vulnerability stems from CWE-862 (Missing Authorization), a class of weaknesses where the application fails to verify that users have explicit permission to perform restricted actions. In a WordPress plugin context, this typically manifests as missing nonce validation, improper capability checks in AJAX handlers, or REST API endpoints that execute privileged operations without role-based access control. The affected code path allows network-accessible endpoints to process requests lacking proper authorization verification, enabling privilege escalation or cross-boundary data manipulation.

RemediationAI

Upgrade ShopWP to the latest patched version beyond 5.2.4 immediately. WordPress administrators should navigate to Plugins > Installed Plugins, locate ShopWP, and click Update if available. If no update is immediately available from the WordPress plugin repository, check the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wpshopify/vulnerability/wordpress-shopwp-plugin-5-2-4-broken-access-control-vulnerability?_s_id=cve for a release timeline and interim mitigation guidance. As a temporary workaround pending patch availability, consider disabling the ShopWP plugin entirely if its commerce functionality is not mission-critical, or restrict API access via WordPress security plugins or web application firewall rules if the specific vulnerable endpoint can be identified.

Share

EUVD-2026-20402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy