CVE-2026-23977
Missing Authorization in WPFactory WooCommerce Support Ticket System
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpfactory | helpdesk_support_ticket_system_for_woocommerce | to 2.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23977 is a high-priority Broken Access Control vulnerability in the WordPress Helpdesk Support Ticket System for WooCommerce Plugin versions up to 2.1.2.
This vulnerability allows unauthenticated users to bypass authorization, authentication, or nonce token checks, enabling them to perform actions that should be restricted to higher-privileged users.
It is classified under the OWASP Top 10 category A1: Broken Access Control and is considered highly dangerous and prone to exploitation in mass-attack campaigns.
How can this vulnerability impact me? :
This vulnerability can allow attackers to escalate their privileges without proper authorization, potentially performing administrative or sensitive actions within the Helpdesk Support Ticket System for WooCommerce.
Such unauthorized access can lead to data breaches, manipulation of support tickets, disruption of customer service operations, and compromise of the overall website security.
Because the vulnerability can be exploited by unauthenticated users, it poses a significant risk to any website using the affected plugin versions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability allows unauthenticated users to bypass authorization and perform actions reserved for higher-privileged users. Detection typically involves monitoring for unauthorized access attempts or suspicious activity targeting the Helpdesk Support Ticket System for WooCommerce plugin versions up to 2.1.2.
While specific commands are not provided in the available resources, general detection methods include reviewing web server logs for unusual requests to the plugin endpoints, scanning for plugin versions <= 2.1.2, and using security monitoring tools that can identify broken access control attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the Helpdesk Support Ticket System for WooCommerce plugin to version 2.1.3 or later, where the vulnerability has been patched.
Until the update can be applied, Patchstack provides an immediate mitigation rule that blocks attacks targeting this vulnerability, which can be used to protect the website.
Additionally, enabling continuous security monitoring and automatic updates for vulnerable plugins can help prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-23977 is a broken access control flaw that allows unauthorized users to bypass authorization and perform actions reserved for higher-privileged users. Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or sensitive information.
However, the provided information does not explicitly mention the direct impact on compliance with these regulations.