CVE-2026-52711

Vulnerability

A broken access control vulnerability exists in the WooCommerce POS plugin for WordPress, affecting versions up to and including 1.8.14. The issue is categorized as unauthenticated broken access control, meaning no authentication or nonce token check is performed in a function that should have higher privilege requirements. The affected versions are all releases prior to 1.9.0.

Exploitation

An unauthenticated attacker can trigger this vulnerability remotely without any prior authentication or special network position. Since the access control check is missing, the attacker can directly call the vulnerable function to execute actions intended for higher-privileged users. The reference indicates this is expected to be exploited in mass campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform privileged actions within the WooCommerce POS plugin, leading to arbitrary data access or manipulation. This can result in information disclosure, unauthorized modifications, or other compromised operations with the permission level of the vulnerable function. The CVSS score is 7.5 (High) reflecting the serious confidentiality and integrity impact [1].

Mitigation

The vulnerability is fixed in version 1.9.0 of the WooCommerce POS plugin. Users should update to version 1.9.0 or later immediately. If immediate update is not possible, Patchstack users can enable auto-update for vulnerable plugins or apply a mitigation rule to block attacks until updated. The vulnerability is listed as expected to be exploited in mass attacks, so prompt action is critical [1].