Description
Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Japanized For WooCommerce plugin contains an unauthenticated broken access control flaw. Attackers can request the plugin’s administrative interfaces without providing credentials, allowing them to modify WooCommerce settings such as shipping options, payment gateways, or pricing rules. This can lead to service disruption, financial loss, or unauthorized data exposure at the shop level.

Affected Systems

All installations of the WordPress Japanized For WooCommerce plugin 2.9.12 or earlier are vulnerable. The flaw exists in the plugin’s exposed admin endpoints that do not verify user authentication before rendering configuration pages.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability represents a moderate risk. No current exploit code is known and the EPSS score is not available, but because the issue is unauthenticated it can be leveraged by any visitor to the site. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploitation at this time. However, the lack of authentication control makes discovery and exploitation straightforward for an attacker who can simply make HTTP requests to the admin URLs.

Generated by OpenCVE AI on June 29, 2026 at 16:36 UTC.

Remediation

Vendor Solution

Update the WordPress Japanized For WooCommerce Plugin to the latest available version (at least 2.9.13).

OpenCVE Recommended Actions

  • Update the Japanized For WooCommerce plugin to version 2.9.13 or later to remove the access control flaw.
  • If a patch cannot be applied immediately, temporarily deactivate the plugin to prevent unauthenticated access to its configuration pages.
  • Review WooCommerce administrative access controls—restrict the admin area to trusted IP addresses or enable two‑factor authentication for backend users to mitigate potential future elevation attempts.

Generated by OpenCVE AI on June 29, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions.
Title WordPress Japanized For WooCommerce plugin <= 2.9.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T15:56:14.173Z

Reserved: 2026-06-24T12:45:19.179Z

Link: CVE-2026-57340

cve-icon Vulnrichment

Updated: 2026-06-29T15:56:01.243Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:45:04Z

Weaknesses