Description
Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce <= 10.4.0 versions.
Published: 2026-06-26
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a subscriber user of the Abandoned Cart Pro for WooCommerce plugin to increase their privileges beyond the intended scope. This is a privilege management error (CWE-266) that can lead to unauthorized access to sensitive administrative functions within the WordPress site. The impact is the potential to alter, delete, or create content and settings that should be restricted to higher‑privilege roles.

Affected Systems

Tyche Softwares’ Abandoned Cart Pro for WooCommerce plugin versions 10.4.0 and earlier are impacted. The plugin is widely used in WordPress stores that rely on WooCommerce for e‑commerce transactions. Users of any affected version should verify their installed version number.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity and shows that the flaw is exploitable by an authenticated subscriber. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the potential for privilege escalation in a widely deployed e‑commerce plugin makes it a compelling target for attackers. Likely attack vectors involve legitimate user actions via the plugin’s UI or crafted HTTP requests that the plugin improperly authorizes. An attacker who has compromised a subscriber account can use the flaw to elevate privileges, leading to broader site compromise.

Generated by OpenCVE AI on June 26, 2026 at 16:45 UTC.

Remediation

Vendor Solution

Update the WordPress Abandoned Cart Pro for WooCommerce Plugin to the latest available version (at least 10.4.1).

OpenCVE Recommended Actions

  • Update the Abandoned Cart Pro for WooCommerce plugin to version 10.4.1 or later.
  • Review and temporarily limit subscriber role permissions to prevent privilege escalation via the plugin.
  • Audit existing user roles for unauthorized changes and monitor for suspicious activity post‑update.

Generated by OpenCVE AI on June 26, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Tychesoftwares
Tychesoftwares abandoned Cart Pro For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Tychesoftwares
Tychesoftwares abandoned Cart Pro For Woocommerce
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce <= 10.4.0 versions.
Title WordPress Abandoned Cart Pro for WooCommerce plugin <= 10.4.0 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tychesoftwares Abandoned Cart Pro For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:18:47.172Z

Reserved: 2026-06-18T09:31:56.471Z

Link: CVE-2026-56010

cve-icon Vulnrichment

Updated: 2026-06-26T20:18:42.648Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:15:03Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment