Skip to main content

Smart Online Order EUVDEUVD-2026-32194

| CVE-2026-42745 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-27 audit@patchstack.com GHSA-fw9h-5wwp-r96p
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:55 vuln.today

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.

AnalysisAI

Authentication bypass in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions up to and including 1.6.0) lets remote, unauthenticated attackers reach protected functionality through an alternate code path that fails to enforce the plugin's normal authentication checks (CWE-288). Exploitation requires no privileges, no user interaction, and low attack complexity, but CVSS scopes the impact as limited (low confidentiality, integrity, and availability). There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no current evidence of widespread exploitation.

Technical ContextAI

The affected component is the WordPress plugin "Smart Online Order for Clover" (slug clover-online-orders), which integrates the Clover point-of-sale/online-ordering platform into WordPress storefronts. The root cause is CWE-288, Authentication Bypass Using an Alternate Path or Channel: the plugin exposes a secondary access path (commonly an AJAX action, REST route, or directly invokable handler in WordPress plugins) that does not apply the same identity/authorization verification as the primary, intended authentication flow. As a result, requests routed through that alternate channel are processed as if authenticated. No CPE string was provided in the source data, so exact component-level matching beyond the plugin name and version is not available; the affected-version data comes from the ENISA EUVD record (EUVD-2026-32194).

RemediationAI

No vendor-released patch version is identified in the available data, which states only that versions up to and including 1.6.0 are affected; therefore the primary action is to upgrade to a release later than 1.6.0 once ZAYTECH publishes one (monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-broken-authentication-vulnerability?_s_id=cve and the plugin's WordPress.org page for the fixed version). Until a fixed version is confirmed, apply compensating controls: deactivate and remove the plugin if online ordering is not business-critical (trade-off: disables Clover ordering functionality on the site); deploy a virtual patch / WAF rule (Patchstack and similar WordPress firewalls publish signatures for this class) to block requests to the vulnerable alternate endpoint (trade-off: depends on accurate rule coverage and may need tuning to avoid blocking legitimate ordering traffic); and restrict network/access to the plugin's endpoints where feasible (trade-off: may interfere with legitimate customer access if the storefront is public-facing).

Share

EUVD-2026-32194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy