Skip to main content

Japanized For WooCommerce EUVDEUVD-2026-40111

| CVE-2026-57340 MEDIUM
Missing Authorization (CWE-862)
2026-06-29 Patchstack GHSA-fvhx-wf6j-vcv7
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable with no auth required; impact is bounded to partial integrity and availability with no confidentiality exposure, consistent with authorization bypass on a localization plugin.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 29, 2026 - 15:23 vuln.today
CVE Published
Jun 29, 2026 - 13:36 cve.org
MEDIUM 6.5

DescriptionCVE.org

Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions.

AnalysisAI

Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running vulnerable plugin
Delivery
Send unauthenticated HTTP request to exposed plugin endpoint
Exploit
Bypass missing authorization check
Execution
Execute restricted plugin action
Impact
Modify store data or disrupt plugin functionality

Vulnerability AssessmentAI

Exploitation The Japanized For WooCommerce plugin must be installed and actively enabled on a WordPress site running WooCommerce - sites not using this plugin are entirely unaffected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score reflects a real but bounded threat: network-reachable (AV:N), low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), yet limited to partial integrity and availability impacts (I:L/A:L) with no confidentiality breach (C:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress store running Japanized For WooCommerce <= 2.9.12 and sends crafted HTTP requests directly to the plugin's exposed WordPress AJAX or REST API endpoint, omitting any authentication credentials. Because the plugin does not perform capability or nonce verification, the request is processed and the attacker can trigger restricted plugin actions - such as modifying store configuration data or causing functional disruption - without any account on the site. …
Remediation The primary remediation is to update the Japanized For WooCommerce plugin to a version beyond 2.9.12 via the WordPress plugin dashboard or wp-cli (wp plugin update woocommerce-for-japan). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy