Skip to main content

WP Sheet Editor EUVDEUVD-2026-43433

| CVE-2026-61952 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
4.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
4.9 MEDIUM

High-privilege authentication required to reach the bulk-edit handler; only integrity impacted via unauthorized product data modification, no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:17 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 4.9

DescriptionCVE.org

Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products - WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products - WP Sheet Editor: from n/a through <= 1.8.21.

AnalysisAI

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise high-privilege WordPress account
Delivery
Authenticate to WordPress admin panel
Exploit
Access WP Sheet Editor bulk-edit interface
Execution
Invoke privileged product-edit operations
Persist
Authorization check bypassed due to CWE-862
Impact
Bulk-modify WooCommerce product catalog data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with a high-privilege WordPress role (consistent with PR:H in the CVSS vector - Administrator or equivalent Shop Manager level). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.9 (Medium) is driven by AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or compromised a high-privilege WordPress account - such as an Administrator or Shop Manager - navigates to the WP Sheet Editor bulk-edit interface and performs product data modification actions that should be restricted to a narrower permission scope. Because the plugin fails to verify the caller's specific capability against the requested operation, the attacker can alter pricing, stock levels, or product descriptions across the entire WooCommerce catalog in bulk, potentially causing financial harm or reputational damage. …
Remediation No exact patched version number is confirmed in the available intelligence data - the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-bulk-edit-products/vulnerability/wordpress-woocommerce-bulk-edit-products-wp-sheet-editor-plugin-1-8-21-broken-access-control-vulnerability should be consulted for the confirmed fix release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy