Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Smart Online Order for Clover plug‑in contains an Authentication Bypass vulnerability that allows an attacker to authenticate as any user without providing valid credentials. The flaw is rated CWE-288 and enables unauthorized manipulation of orders and viewing of sensitive data; the possibility of gaining higher privileges within the WordPress site is inferred based on the ability to authenticate as any user.

Affected Systems

The vulnerability exists in the ZAYTECH Smart Online Order for Clover plug‑in from the first release through version 1.6.0. All WordPress installations that have this plug‑in installed and have not upgraded beyond that version are affected.

Risk and Exploitability

The CVSS score of 7.3 classifies the flaw as high severity. Although the EPSS score is not available, the lack of a listing in the CISA KEV catalog suggests no confirmed widespread exploitation yet. The likely attack vector is a web‑based request to the plug‑in’s authentication endpoint or an alternate route that bypasses standard credential checks. An attacker who can reach the plug‑in’s management interface could potentially retrieve or modify order data and may gain further access to the underlying WordPress admin area; this is inferred from the authentication bypass.

Generated by OpenCVE AI on May 27, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Smart Online Order for Clover plug‑in to the latest available version (greater than 1.6.0).
  • If an upgrade is not viable, disable or remove the plug‑in until a patched version is released.
  • Configure a web application firewall or similar controls to block repeated or suspicious authentication attempts against the plug‑in’s endpoints.

Generated by OpenCVE AI on May 27, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zaytech
Zaytech smart Online Order For Clover
Vendors & Products Wordpress
Wordpress wordpress
Zaytech
Zaytech smart Online Order For Clover

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.
Title WordPress Smart Online Order for Clover plugin <= 1.6.0 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Zaytech Smart Online Order For Clover
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:51:00.336Z

Reserved: 2026-04-29T09:05:30.886Z

Link: CVE-2026-42745

cve-icon Vulnrichment

Updated: 2026-05-27T10:50:55.451Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:20.940

Modified: 2026-05-27T11:16:20.940

Link: CVE-2026-42745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T13:00:11Z

Weaknesses