Description
Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions.
Published: 2026-06-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A broken access control flaw exists in the Wallet System for WooCommerce plugin up to version 2.7.6 that allows a user possessing subscriber privileges to perform actions normally reserved for higher‑level users. This flaw can potentially enable the reader to alter wallet balances, create or delete transactions, and otherwise compromise the integrity of the financial system embedded in a WordPress site. The vulnerability arises from inadequate capability checks in privileged functions, a weakness identified as CWE‑862.

Affected Systems

The issue affects the WP Swings: Wallet System for WooCommerce plugin. Any installation running a version prior to 2.7.7 is potentially vulnerable, regardless of other plugin or theme configurations.

Risk and Exploitability

The CVSS base score of 7.1 indicates high severity, and while the EPSS score is not available, the lack of a KEV listing suggests that documented exploits are not yet public. Based on the description, an attacker would first authenticate as a subscriber or any user with wallet access, then invoke privileged endpoints that bypass normal capability checks. The impact is primarily integrity and availability of wallet data, and could lead to financial loss or unauthorized funding of transactions.

Generated by OpenCVE AI on June 29, 2026 at 16:50 UTC.

Remediation

Vendor Solution

Update the WordPress Wallet System for WooCommerce Plugin to the latest available version (at least 2.7.7).

OpenCVE Recommended Actions

  • Update the WordPress Wallet System for WooCommerce plugin to version 2.7.7 or later. This release removes the weakened access checks and restores correct privilege enforcement.
  • Review and tighten WordPress user roles and capabilities so that only administrators or designated privileged users can access wallet management functions, ensuring that subscriber roles cannot trigger privileged endpoints.
  • Monitor and review WordPress and server logs for any unauthorized attempts to modify wallet balances or create transactions, and consider implementing intrusion detection or rate limiting for wallet-related endpoints.

Generated by OpenCVE AI on June 29, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpswings
Wpswings wallet System For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpswings
Wpswings wallet System For Woocommerce

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions.
Title WordPress Wallet System for WooCommerce plugin <= 2.7.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Wordpress Wordpress
Wpswings Wallet System For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T15:07:09.783Z

Reserved: 2026-06-24T12:45:19.178Z

Link: CVE-2026-57332

cve-icon Vulnrichment

Updated: 2026-06-29T15:07:06.493Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:30:03Z

Weaknesses