Description
Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WooCommerce Dropshipping plugin for WordPress, in versions up to 5.2.4, contains a broken authentication flaw that allows an unauthenticated attacker to bypass login controls. This weakness, identified as CWE-288, can enable the attacker to assume any user account, post orders, manipulate cart or inventory data, and potentially gain broader access to the website. The portfolio of damage includes theft of order information, manipulation of pricing, and exploitation of any backend capabilities tied to user roles.

Affected Systems

Affected sites run WordPress with the WooCommerce Dropshipping plugin version 5.2.4 or earlier. The vulnerability is confined to the plugin code; however, any WordPress installation using these versions is at risk, regardless of hosting environment, operating system, or network topology.

Risk and Exploitability

The CVSS score of 6.5 signals moderate severity, and no EPSS data is currently available. The plugin is not listed in the CISA KEV catalog, implying no known active exploitation reports yet. Nevertheless, the attack vector is realistically remote; an attacker only needs to send crafted HTTP requests to the WordPress site to trigger the authentication bypass. Because the failure occurs before any credential verification, the exploit is straightforward for anyone with internet access to the vulnerable site.

Generated by OpenCVE AI on June 18, 2026 at 12:10 UTC.

Remediation

Vendor Solution

Update the WordPress WooCommerce Dropshipping Plugin to the latest available version (at least 5.2.5).


OpenCVE Recommended Actions

  • Apply the latest WooCommerce Dropshipping plugin update (at least 5.2.5) to remove the authentication flaw.
  • Remove or deactivate any installed copies of versions 5.2.4 and earlier to eliminate the vulnerable code path.
  • Reconfigure user accounts and review role permissions to ensure that no unnecessary administrative privileges remain available after the update.

Generated by OpenCVE AI on June 18, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Opmc
Opmc woocommerce Dropshipping
Wordpress
Wordpress wordpress
Vendors & Products Opmc
Opmc woocommerce Dropshipping
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
Title WordPress WooCommerce Dropshipping plugin <= 5.2.4 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Opmc Woocommerce Dropshipping
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:36:36.776Z

Reserved: 2026-05-27T10:27:01.186Z

Link: CVE-2026-49071

cve-icon Vulnrichment

Updated: 2026-06-17T14:36:33.552Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:15:02Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel