CVE-2026-39701
Missing Authorization in ShopWP β€ 5.2.4 Enables Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| andrew | shopwp | to 5.2.4 (inc) |
| patchstack | wpshopify | to 5.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39701 is a broken access control vulnerability in the WordPress ShopWP plugin versions up to and including 5.2.4. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions.
This flaw allows unauthenticated users to perform actions that normally require higher privileges, effectively bypassing intended access restrictions.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39701 is a broken access control vulnerability that allows unauthenticated users to perform actions requiring higher privileges due to missing authorization checks in the ShopWP plugin. Such vulnerabilities can potentially lead to unauthorized access to sensitive data or functionality.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control issues generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Failure to properly restrict access could result in unauthorized data exposure, potentially leading to non-compliance with data protection requirements.
However, the vulnerability is rated with a low severity score (CVSS 5.3) and is considered unlikely to be exploited, which may reduce the immediate compliance risk. Organizations using the affected plugin should assess their exposure and apply mitigations to maintain compliance.
How can this vulnerability impact me? :
Exploiting this vulnerability can allow unauthorized users to perform privileged actions on affected websites using the ShopWP plugin, potentially leading to unauthorized changes or access.
However, the severity is rated low with a CVSS score of 5.3, and it is considered unlikely to be exploited in practice.
Despite the low severity, mass exploitation campaigns could target many websites regardless of their popularity.
No official patch is currently available, so mitigation involves updating the plugin if possible or seeking help from hosting providers or web developers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions of the WordPress ShopWP plugin up to version 5.2.4.
Detection would involve checking if the affected plugin version is installed and if unauthorized actions can be performed without proper authentication.
No specific detection commands or network signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected ShopWP plugin to a version higher than 5.2.4 if such an update is available.
If no official patch is available, seek assistance from hosting providers or web developers to implement custom access control measures.
Patchstack offers vulnerability mitigation services that can provide rapid protection against this threat.