Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4.
AnalysisAI
Missing authorization in ShopWP WordPress plugin versions up to 5.2.4 allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability exposes functionality that should be restricted to authorized users but lacks proper permission validation, enabling attackers to perform unauthorized actions over the network without authentication. EPSS score of 0.02% (4th percentile) indicates low exploitation probability despite the network-accessible attack vector.
Technical ContextAI
ShopWP is a WordPress plugin for Shopify integration (CPE: cpe:2.3:a:andrew:shopwp:*:*:*:*:*:*:*:*) that bridges WordPress sites with Shopify commerce data. The vulnerability stems from CWE-862 (Missing Authorization), a class of weaknesses where the application fails to verify that users have explicit permission to perform restricted actions. In a WordPress plugin context, this typically manifests as missing nonce validation, improper capability checks in AJAX handlers, or REST API endpoints that execute privileged operations without role-based access control. The affected code path allows network-accessible endpoints to process requests lacking proper authorization verification, enabling privilege escalation or cross-boundary data manipulation.
RemediationAI
Upgrade ShopWP to the latest patched version beyond 5.2.4 immediately. WordPress administrators should navigate to Plugins > Installed Plugins, locate ShopWP, and click Update if available. If no update is immediately available from the WordPress plugin repository, check the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wpshopify/vulnerability/wordpress-shopwp-plugin-5-2-4-broken-access-control-vulnerability?_s_id=cve for a release timeline and interim mitigation guidance. As a temporary workaround pending patch availability, consider disabling the ShopWP plugin entirely if its commerce functionality is not mission-critical, or restrict API access via WordPress security plugins or web application firewall rules if the specific vulnerable endpoint can be identified.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20402