CVE-2026-1000 - Vulnerability Details

- MailerLite - WooCommerce integration <= 3.1.3 - Missing Authorization to Data Deletion

Description

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.

Published: 2026-01-16

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The MailerLite – WooCommerce integration plugin for WordPress contains missing capability checks on the resetIntegration() function, allowing authenticated users with Subscriber-level access to reset integration settings, delete all plugin options, and drop the plugin’s database tables. This can result in complete loss of abandoned cart data and sync job history, effectively erasing critical e‑commerce information.

Affected Systems

All installations of the MailerLite – WooCommerce integration plugin up to and including version 3.1.3 are affected. WordPress sites running any of these versions are at risk and should review their current plugin version.

Risk and Exploitability

The CVSS score of 6.5 classifies this vulnerability as moderate, while the EPSS score of less than 1 % indicates a very low probability of exploitation. The attacker only needs valid credentials with Subscriber-level permissions, a role that is commonly granted to many users, and the vulnerability is not listed in the CISA KEV catalog. Consequently, the risk is moderate, though the likelihood of exploitation remains low compared to high‑privilege attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mailerlite

MailerLite – WooCommerce integration

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.3

No data.

Vendor	Product	Confidence	Versions
Mailerlite	Mailerlite	—	—
Woocommerce	Woocommerce	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the MailerLite – WooCommerce integration plugin to the latest version, which includes the missing authorization checks.
Revoke or restrict Subscriber-role users from accessing the resetIntegration endpoint by adjusting role capabilities or using a plugin that enforces stricter permissions.
If an immediate upgrade is not possible, consider disabling the integration or removing the plugin’s database tables manually to prevent data loss until a patch is applied.

Generated by OpenCVE AI on April 15, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/admin/controllers/WooMailerLiteAdminSettingsController.php#L231
https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/WooMailerLite.php#L127
https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/migrations/WooMailerLiteMigration.php#L33
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415073%40woo-mailerlite%2Ftrunk&old=3399626%40woo-mailerlite%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520?source=cve

History

Fri, 16 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mailerlite Mailerlite mailerlite Woocommerce Woocommerce woocommerce Wordpress Wordpress wordpress
Vendors & Products		Mailerlite Mailerlite mailerlite Woocommerce Woocommerce woocommerce Wordpress Wordpress wordpress

Fri, 16 Jan 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.
Title		MailerLite - WooCommerce integration <= 3.1.3 - Missing Authorization to Data Deletion
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/admin/controllers/WooMailerLiteAdminSettingsController.php#L231 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/WooMailerLite.php#L127 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/migrations/WooMailerLiteMigration.php#L33 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415073%40woo-mailerlite%2Ftrunk&old=3399626%40woo-mailerlite%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Mailerlite Mailerlite

Woocommerce Woocommerce

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-16T04:44:35.744Z

Updated: 2026-04-08T17:29:06.221Z

Reserved: 2026-01-15T16:35:54.267Z

Link: CVE-2026-1000

Vulnrichment

Updated: 2026-01-16T14:38:33.875Z

NVD

Status : Deferred

Published: 2026-01-16T05:16:17.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1000

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object