Description
Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass / Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an actor to forge authentication credentials, enabling them to view and modify subscription data that should be restricted to administrators. This type of flaw, classified as a credential‑spoofing bypass, can expose sensitive customer information and potentially allow the creation, cancellation, or alteration of subscriptions without proper authority, thereby undermining the integrity and confidentiality of subscription data.

Affected Systems

WordPress sites that have installed the WP Swings Subscriptions for WooCommerce plugin at version 1.8.10 or earlier are vulnerable. The issue applies to all releases from the earliest available build up to and including the 1.8.10 release. Any site running a version in this range will have the authentication bypass until updated.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating a high level of risk. Its EPSS score is reported to be below 1 %, denoting a low probability of exploitation in the wild, and it is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves submitting specially crafted HTTP requests to the plugin’s endpoints that masquerade as legitimate administrative actions. An attacker with network-level access to the WordPress environment, even with minimal credentials, can exploit this weakness to manipulate subscription data.

Generated by OpenCVE AI on March 26, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Swings Subscriptions for WooCommerce to a version newer than 1.8.10 as soon as possible.
  • If an update cannot be deployed immediately, block public access to all subscription‑related URLs and enforce strict authentication for any remaining functionality.
  • Review and audit subscription activity logs for unauthorized changes and investigate any suspicious events promptly.

Generated by OpenCVE AI on March 26, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Swings
Wp Swings subscriptions For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wp Swings
Wp Swings subscriptions For Woocommerce

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.
Title WordPress Subscriptions for WooCommerce plugin <= 1.8.10 - Bypass Vulnerability vulnerability
Weaknesses CWE-290
References

Subscriptions

Wordpress Wordpress
Wp Swings Subscriptions For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:05.005Z

Reserved: 2026-01-22T14:42:32.873Z

Link: CVE-2026-24372

cve-icon Vulnrichment

Updated: 2026-03-26T20:10:52.611Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:37.660

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-24372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:28Z

Weaknesses