Description
The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.
Published: 2026-04-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation to administrator via insecure token authentication
Action: Immediate Patch
AI Analysis

Impact

A WordPress plugin designed for inventory and order management accepts a Base64‑encoded user identifier as part of a token. The plugin trusts this value without validation and exposes the current authentication token through a public endpoint. Because of these flaws, any visitor can forge the admin user’s identifier, obtain the token, and then use that token to call an otherwise restricted action that writes to the user meta table. This sequence enables an unauthenticated attacker to change the wp_capabilities meta field for any user, effectively gaining full administrative privileges within the WordPress installation.

Affected Systems

The vulnerability exists in the Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS plugin for WordPress versions up to and including 1.11.0. Users running any of these releases on a WordPress site are potentially affected.

Risk and Exploitability

The common vulnerability scoring system assigns a 9.8 score, categorizing this as critical. Exploitation requires no special credentials and is performed via simple HTTP requests, so the attack vector is likely remote unauthenticated. While the EPSS score is not available, the lack of any authentication barrier and the public nature of the token leakage make exploitation highly likely, and the issue is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on April 17, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version that removes insecure token handling and restricts the setUserMeta action to administrative users only.
  • If an upgrade is not immediately possible, disable the barcodeScannerConfigs endpoint or restrict it to authenticated administrators by adding a capability check before serving the token.
  • Remove or heavily restrict the ability to modify the 'wp_capabilities' user meta key from the setUserMeta action, ensuring only the WordPress core or admin interface can alter this field.

Generated by OpenCVE AI on April 17, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ukrsolution
Ukrsolution barcode Scanner And Inventory Manager
Wordpress
Wordpress wordpress
Vendors & Products Ukrsolution
Ukrsolution barcode Scanner And Inventory Manager
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.
Title Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ukrsolution Barcode Scanner And Inventory Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T14:20:50.654Z

Reserved: 2026-03-26T07:10:23.272Z

Link: CVE-2026-4880

cve-icon Vulnrichment

Updated: 2026-04-16T14:20:40.555Z

cve-icon NVD

Status : Deferred

Published: 2026-04-16T00:16:29.393

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-4880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:00:09Z

Weaknesses