Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.
AnalysisAI
Missing authorization in Mulika Team MIPL WC Multisite Sync WordPress plugin versions 1.4.4 and earlier allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control mechanisms. The vulnerability affects all versions from initial release through 1.4.4, with an EPSS score of 0.02% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 5.3. No active exploitation or public proof-of-concept has been identified at time of analysis.
Technical ContextAI
MIPL WC Multisite Sync is a WordPress plugin designed to synchronize WooCommerce product and order data across multisite WordPress installations. The vulnerability stems from a missing authorization check (CWE-862) in the plugin's access control implementation, allowing an unauthenticated attacker to bypass security levels that should restrict data modification to authorized administrators or specific roles. The plugin's REST API endpoints or AJAX handlers likely lack proper nonce verification and capability checks, permitting unauthorized state modification operations on synchronized WooCommerce data across connected sites. As a WordPress plugin, exploitation occurs within the WordPress application context, requiring access to the vulnerable plugin's endpoints.
RemediationAI
Update MIPL WC Multisite Sync to a patched version newer than 1.4.4 via the WordPress plugin dashboard or by downloading the latest release from the plugin repository. If a specific patched version number is unavailable from the vendor, verify the plugin version has been updated to a post-1.4.4 release before re-enabling the plugin. As an interim mitigation, restrict WordPress REST API access to authenticated users or disable the plugin entirely if multisite synchronization is not actively required. Refer to the Patchstack vulnerability database and NIST NVD advisory for the most current patch information and plugin release notes.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20411
GHSA-fpj7-fjcx-j6w2