Description
Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Missing Authorization
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check allows attackers to access administrative functions of the ShopWP plugin, potentially enabling unauthorized configuration changes and exploitation of additional vulnerabilities. The flaw originates from incorrectly configured access control security levels. The weakness is classified as Missing Authorization (CWE-862).

Affected Systems

The vulnerability affects the WordPress ShopWP plugin developed by Andrew (wpshopify) on all versions up to and including 5.2.4. Users running any of those versions on a WordPress site are susceptible. No specific WordPress core or PHP version restrictions are noted.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while an EPSS score below 1% suggests exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the plugin’s administrative interface over the web; the attack vector is inferred to be remote web-based exploitation as the plugin presents forms and settings in the WordPress dashboard.

Generated by OpenCVE AI on April 13, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShopWP plugin to version 5.2.5 or later.
  • If an immediate upgrade is not possible, restrict access to the plugin’s administrative pages using authentication and firewall rules.
  • Verify that the plugin’s security level settings enforce proper authorization for all actions.
  • Monitor site logs for unexplained access attempts to the ShopWP interface.
  • Keep the WordPress core, other plugins, and PHP runtime up to date to reduce overall attack surface.

Generated by OpenCVE AI on April 13, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Andrew
Andrew shopwp
Wordpress
Wordpress wordpress
Vendors & Products Andrew
Andrew shopwp
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4.
Title WordPress ShopWP plugin <= 5.2.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Andrew Shopwp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.602Z

Reserved: 2026-04-07T10:58:16.464Z

Link: CVE-2026-39701

cve-icon Vulnrichment

Updated: 2026-04-13T18:18:12.870Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:42.690

Modified: 2026-04-29T10:17:42.357

Link: CVE-2026-39701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:25Z

Weaknesses