Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Swings Wallet System for WooCommerce allows Password Recovery Exploitation.

This issue affects Wallet System for WooCommerce: from n/a through 2.7.5.
Published: 2026-06-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in WP Swings Wallet System for WooCommerce allows an attacker to bypass authentication by exploiting an alternate path or channel used during password recovery. Because of this flaw an unauthenticated attacker could trigger the password reset process and potentially reset a user's credentials, thereby gaining unauthorized access to the website and its e‑commerce functionalities. The weakness is a classic authentication bypass, classified as CWE-288.

Affected Systems

Affected products are WP Swings Wallet System for WooCommerce plugins through version 2.7.5. Any installation of this plugin that has not upgraded to the fixed release is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploit in the wild. The flaw permits an unauthenticated attacker to access the password recovery endpoint, which is typically publicly reachable, potentially resetting a user’s credentials and gaining unauthorized access. Because the exploitation path is straightforward and widely reachable, the risk to affected installations is significant, though no public exploit evidence exists.

Generated by OpenCVE AI on June 2, 2026 at 16:52 UTC.

Remediation

Vendor Solution

Update the WordPress Wallet System for WooCommerce Plugin to the latest available version (at least 2.7.6).

OpenCVE Recommended Actions

  • Update the WordPress Wallet System for WooCommerce plugin to version 2.7.6 or later.
  • If a timely update is not possible, consider disabling the password recovery feature or restricting it to verified users to reduce the attack surface.
  • Implement monitoring of authentication and password reset logs to detect abnormal activity and respond promptly.

Generated by OpenCVE AI on June 2, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpswings
Wpswings wallet System For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpswings
Wpswings wallet System For Woocommerce

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Swings Wallet System for WooCommerce allows Password Recovery Exploitation. This issue affects Wallet System for WooCommerce: from n/a through 2.7.5.
Title WordPress Wallet System for WooCommerce plugin <= 2.7.5 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Wordpress Wordpress
Wpswings Wallet System For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T16:48:26.226Z

Reserved: 2026-04-29T09:04:43.153Z

Link: CVE-2026-42654

cve-icon Vulnrichment

Updated: 2026-06-02T16:47:58.903Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:40.373

Modified: 2026-06-02T17:11:00.443

Link: CVE-2026-42654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T17:30:13Z

Weaknesses