Impact
The WooCommerce Dropshipping plugin for WordPress, in versions up to 5.2.4, contains a broken authentication flaw that allows an unauthenticated attacker to bypass login controls. This weakness, identified as CWE-288, can enable the attacker to assume any user account, post orders, manipulate cart or inventory data, and potentially gain broader access to the website. The portfolio of damage includes theft of order information, manipulation of pricing, and exploitation of any backend capabilities tied to user roles.
Affected Systems
Affected sites run WordPress with the WooCommerce Dropshipping plugin version 5.2.4 or earlier. The vulnerability is confined to the plugin code; however, any WordPress installation using these versions is at risk, regardless of hosting environment, operating system, or network topology.
Risk and Exploitability
The CVSS score of 6.5 signals moderate severity, and no EPSS data is currently available. The plugin is not listed in the CISA KEV catalog, implying no known active exploitation reports yet. Nevertheless, the attack vector is realistically remote; an attacker only needs to send crafted HTTP requests to the WordPress site to trigger the authentication bypass. Because the failure occurs before any credential verification, the exploit is straightforward for anyone with internet access to the vulnerable site.
OpenCVE Enrichment