Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable with no auth required; impact is bounded to partial integrity and availability with no confidentiality exposure, consistent with authorization bypass on a localization plugin.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions.
AnalysisAI
Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Japanized For WooCommerce plugin must be installed and actively enabled on a WordPress site running WooCommerce - sites not using this plugin are entirely unaffected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score reflects a real but bounded threat: network-reachable (AV:N), low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), yet limited to partial integrity and availability impacts (I:L/A:L) with no confidentiality breach (C:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress store running Japanized For WooCommerce <= 2.9.12 and sends crafted HTTP requests directly to the plugin's exposed WordPress AJAX or REST API endpoint, omitting any authentication credentials. Because the plugin does not perform capability or nonce verification, the request is processed and the attacker can trigger restricted plugin actions - such as modifying store configuration data or causing functional disruption - without any account on the site. … |
| Remediation | The primary remediation is to update the Japanized For WooCommerce plugin to a version beyond 2.9.12 via the WordPress plugin dashboard or wp-cli (wp plugin update woocommerce-for-japan). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Japanized For Woocommerce
View allThe Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ paramet
The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before outputting them in att
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40111
GHSA-fvhx-wf6j-vcv7