Description
Authentication Bypass by Spoofing vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Identity Spoofing.This issue affects WooODT Lite: from n/a through <= 2.5.2.
Published: 2026-02-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass / Identity Spoofing
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the WooODT Lite plugin allows an attacker to bypass authentication by spoofing identities, effectively letting them act as another user without proper credentials. This can enable fraudulent payments or other privileged actions that normally require verified user identities. The weakness is classified as an authentication bypass via spoofing (CWE‑290).

Affected Systems

All installations of the WooODT Lite WordPress plugin produced by the vendor mdalabar, including any versions up to and including 2.5.2. The issue affects every deployment that has not yet been patched beyond this threshold.

Risk and Exploitability

The vulnerability carries a high CVSS score of 7.5, indicating a serious potential impact. The EPSS score of less than 1 % suggests that, at present, exploitation is not common, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve manipulating the plugin’s HTTP endpoints or administrative interface to craft spoofed requests that are accepted by the unauthenticated authentication checks. A successful exploit would grant the attacker the same permissions as the targeted user, potentially leading to unauthorized financial transactions or data access.

Generated by OpenCVE AI on April 27, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WooODT Lite to the latest available version that addresses the authentication bypass flaw.
  • If an update cannot be applied immediately, temporarily disable or remove the plugin from the WordPress installation to eliminate the attack surface.
  • Implement or enforce additional authentication safeguards such as session token validation, strict user‑ID checks, and CSRF protection to mitigate similar bypass attempts in other plugins or custom code.

Generated by OpenCVE AI on April 27, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mdalabar
Mdalabar wooodt Lite
Wordpress
Wordpress wordpress
Vendors & Products Mdalabar
Mdalabar wooodt Lite
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Identity Spoofing.This issue affects WooODT Lite: from n/a through <= 2.5.2.
Title WordPress WooODT Lite plugin <= 2.5.2 - Payment Bypass Vulnerability vulnerability
Weaknesses CWE-290
References

Subscriptions

Mdalabar Wooodt Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:40.161Z

Reserved: 2025-12-31T20:13:16.055Z

Link: CVE-2025-69401

cve-icon Vulnrichment

Updated: 2026-02-25T15:05:24.575Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:25.897

Modified: 2026-04-27T19:16:46.640

Link: CVE-2025-69401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses