The reported vulnerability is a missing authorization flaw that allows attackers who can access the WordPress administrative interface to modify the Barcode Generator for WooCommerce plugin’s settings without proper privilege checks. Exploiting this weakness gives an attacker the ability to alter configuration parameters that could affect barcode generation, potentially influencing product display or order processing. The weakness falls under CWE-862, representing unauthorized configuration changes.

The issue affects the Barcode Generator for WooCommerce plugin by Dmitry V., the CEO of UKR Solution, specifically all releases from the initial release (unknown starting version) up to and including version 2.0.4. WordPress sites that have this plugin installed and are running a version 2.0.4 or earlier are at risk. The plugin is distributed for WordPress and integrated into WooCommerce product pages and orders.

The CVSS score is 5.4, placing it in the medium severity range. The EPSS score is less than 1%, indicating a low probability of exploitation at the moment, and it is not listed in the CISA KEV catalog. The vulnerability requires an authenticated user with access to the WordPress admin area; an attacker could impersonate such a user or exploit credential stuffing to gain access. Once inside, the attacker can change the plugin’s configuration, which may lead to misrepresentation of barcodes or disrupt WooCommerce functionality. Because no public exploit is known and the risk of compromise is limited, monitoring and a patch remain the primary mitigation steps.