The vulnerability is a missing authorization flaw that permits exploitation of incorrectly configured access control security levels in the Autoship Cloud for WooCommerce Subscription Products plugin. It falls under CWE-862, which denotes that legitimate users or administrators may be able to perform actions or view information they should not have access to. The result is the potential for attackers to read, modify, or delete subscription product data, or otherwise manipulate subscription workflows without proper administrative privileges.

Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products plugin is affected in all releases from the initial launch up to and including version 2.14.0. Any WordPress installation that has this plugin with a version 2.14.0 or earlier is vulnerable.

The CVSS score of 4.3 indicates moderate severity and a limited impact beyond unauthorized access. No EPSS score is currently available, making it unclear how frequently attackers are targeting this issue. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented active exploitation. The likely attack vector is via the website’s WordPress administration interface, where the plugin’s administrative endpoints lack proper authorization checks; an attacker would first need to authenticate to the site or trick an authenticated user into triggering the vulnerable functionality. Once the check is bypassed, the attacker can perform the privileged actions afforded by the plugin.