CVE-2026-24527

Vulnerability

Missing Authorization vulnerability in the Autoship Cloud for WooCommerce Subscription Products plugin for WordPress allows exploitation of incorrectly configured access control security levels. The issue affects versions from n/a through 2.14.0 [1]. The vulnerability is classified as a Broken Access Control issue, meaning a missing authorization check in a function could allow an unprivileged user to execute a higher privileged action [1].

Exploitation

Attackers need no special privileges beyond standard unauthenticated or low-privileged access to a WordPress site running the vulnerable plugin version. The exact sequence of steps is not disclosed in the available references, but the flaw can be triggered by sending crafted requests to the affected plugin's endpoints. This vulnerability is known to be used in mass-exploit campaigns against thousands of websites regardless of traffic size or popularity [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions due to the missing access control checks. The primary impact is a breach of confidentiality and integrity, potentially leading to unauthorized access to subscription data, modification of settings, or other actions normally restricted to higher-privileged users. The specific privilege level gained depends on the vulnerable function, but the CVSS v3 score of 4.3 indicates a medium-severity impact [1].

Mitigation

The vendor has not yet released a patched version. The immediate action is to update the plugin once a fixed version becomes available. If unable to update, users should contact their hosting provider or web developer for assistance. The plugin is not listed on the CISA KEV as of the publication date [1].