A flaw in the Subaccounts for WooCommerce plugin enables an attacker to bypass normal authentication checks by using an alternate path or channel, effectively allowing unauthorized access to a user account. The vulnerability permits an authenticated or unauthenticated attacker to gain the rights associated with the compromised account, potentially exposing sensitive data or compromising the entire site. The weakness is classified as CWE‑288, an authentication abuse vulnerability.

The affected product is the MediaTicucous Subaccounts for WooCommerce WordPress plugin on all installations from any release through 1.6.6 inclusive. WordPress sites that have installed this plugin version are at risk. No specific version prior to 1.6.6 is separate; the entire range up to and including 1.6.6 is vulnerable.

The CVSS score of 8.8 indicates a high severity with a significant impact on confidentiality, integrity, and availability through compromised accounts. The EPSS score of less than 1% suggests that exploitation, while possible, is unlikely at present but persists as a known risk. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via privileged user or administrative interfaces that allow the alternate authentication path to be exploited; specific prerequisites are not detailed in the description.