Skip to main content

WooCommerce Dropshipping EUVDEUVD-2026-37614

| CVE-2026-49071 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-17 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible authentication bypass with no credentials required; C:L/I:L reflects limited plugin-scope data exposure with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 12:52 vuln.today
CVE Published
Jun 17, 2026 - 09:51 cve.org
MEDIUM 6.5

DescriptionCVE.org

Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.

AnalysisAI

Broken authentication in WooCommerce Dropshipping plugin versions 5.2.4 and earlier allows unauthenticated remote attackers to bypass authentication controls via an alternate path or channel (CWE-288), yielding partial confidentiality and integrity impact on affected WordPress e-commerce installations. Reported by Patchstack, the flaw is confirmed at CVSS 6.5 Medium with a fully network-accessible, zero-complexity attack path requiring no privileges or user interaction. No public exploit code or CISA KEV listing exists at time of analysis, moderating real-world urgency despite the low exploitation barrier.

Technical ContextAI

WooCommerce Dropshipping is a WordPress plugin developed by OPMC (CPE: cpe:2.3:a:opmc:woocommerce_dropshipping:*:*:*:*:*:*:*:*) that extends WooCommerce stores with supplier and dropshipping management capabilities. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) describes a root cause where a system implements an authentication gate on the primary path but exposes a secondary route - such as a REST API endpoint, AJAX action, or internal callback - that omits or insufficiently enforces the same checks. In this plugin's context, a WordPress AJAX hook or REST route likely performs privileged operations (e.g., accessing supplier data, order details, or plugin settings) while relying on a flawed or absent nonce/capability check, permitting access without a valid WordPress session.

RemediationAI

No exact patched version is confirmed from available data - the fix version must be verified via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woocommerce-dropshipping/vulnerability/wordpress-woocommerce-dropshipping-plugin-5-2-4-broken-authentication-vulnerability before upgrading. Store administrators should immediately check the WordPress plugin dashboard for an update to WooCommerce Dropshipping beyond version 5.2.4 and apply it. As a compensating control, if no patched version is yet available, consider deactivating the plugin until a fix is released - trade-off: dropshipping automation will cease, requiring manual supplier management. Alternatively, if the vulnerable functionality can be isolated to specific REST or AJAX routes via server-level configuration (e.g., nginx location blocks or WAF rules targeting the plugin's slug), restricting those endpoints to authenticated sessions adds a layer of defense without full deactivation.

Share

EUVD-2026-37614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy