Description
Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Subscriptions for WooCommerce plugin up to version 1.9.5 allows an unauthenticated attacker to bypass normal access checks. The weakness is an Access Control Failure (CWE‑862) that can let attackers create, modify, or cancel subscriptions without a valid user session, potentially leaking personal data or disrupting revenue streams.

Affected Systems

The affected product is WP Swings Subscriptions for WooCommerce. Versions 1.9.5 and earlier are impacted. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is not available, but the lack of a KEV listing suggests no confirmed exploitation yet. Based on the description, it is inferred that attackers can likely exploit the issue by sending specially crafted HTTP requests to the plugin’s endpoints without authenticating, making it readily actionable once the vulnerability is known.

Generated by OpenCVE AI on June 26, 2026 at 17:47 UTC.

Remediation

Vendor Solution

Update the WordPress Subscriptions for WooCommerce Plugin to the latest available version (at least 1.9.6).

OpenCVE Recommended Actions

  • Update the WordPress Subscriptions for WooCommerce plugin to version 1.9.6 or later.
  • If an immediate update is not possible, temporarily disable the plugin to block exploitation.
  • Configure a web application firewall to detect and block unauthorized API calls to the plugin’s endpoints.

Generated by OpenCVE AI on June 26, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Swings
Wp Swings subscriptions For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wp Swings
Wp Swings subscriptions For Woocommerce

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions.
Title WordPress Subscriptions for WooCommerce plugin <= 1.9.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
Wp Swings Subscriptions For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:52:48.708Z

Reserved: 2026-06-18T14:38:04.421Z

Link: CVE-2026-56061

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:15:03Z

Weaknesses