CVE-2026-39701

Vulnerability

Overview

The ShopWP WordPress plugin (wpshopify) suffers from a Missing Authorization vulnerability affecting versions through 5.2.4. This is a broken access control issue where the plugin fails to properly verify authorization, authentication, or nonce tokens in certain functions. The flaw allows an unprivileged user to execute actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability without needing any special authentication, as the access control checks are missing or incorrectly configured. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or popularity [1].

Impact

Successful exploitation enables an attacker to perform unauthorized actions within the affected WordPress installation, potentially leading to data exposure, privilege escalation, or other malicious activities depending on the specific function lacking authorization checks.

Mitigation

The vendor has not released a patch for this vulnerability. Users are strongly advised to update the plugin immediately if a patched version becomes available. If updating is not possible, users should contact their hosting provider or web developer for assistance. The vulnerability has a CVSS v3 score of 5.3 (Medium severity) [1].