Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
High-privilege authentication required to reach the bulk-edit handler; only integrity impacted via unauthorized product data modification, no confidentiality or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products - WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products - WP Sheet Editor: from n/a through <= 1.8.21.
AnalysisAI
Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with a high-privilege WordPress role (consistent with PR:H in the CVSS vector - Administrator or equivalent Shop Manager level). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.9 (Medium) is driven by AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or compromised a high-privilege WordPress account - such as an Administrator or Shop Manager - navigates to the WP Sheet Editor bulk-edit interface and performs product data modification actions that should be restricted to a narrower permission scope. Because the plugin fails to verify the caller's specific capability against the requested operation, the attacker can alter pricing, stock levels, or product descriptions across the entire WooCommerce catalog in bulk, potentially causing financial harm or reputational damage. … |
| Remediation | No exact patched version number is confirmed in the available intelligence data - the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-bulk-edit-products/vulnerability/wordpress-woocommerce-bulk-edit-products-wp-sheet-editor-plugin-1-8-21-broken-access-control-vulnerability should be consulted for the confirmed fix release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43433