CVE-2026-4880
Received Received - Intake
Privilege Escalation in Barcode Scanner WordPress Plugin via Token Abuse

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: Wordfence

Description
The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4880
EUVD
EUVD-2026-23136
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence barcode_scanner to 1.11.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Barcode Scanner plugin for WordPress is vulnerable to privilege escalation due to insecure token-based authentication. The plugin trusts a user-supplied Base64-encoded user ID in the token parameter to identify users. Attackers can exploit this by spoofing an admin user ID to leak a valid authentication token through the 'barcodeScannerConfigs' action. Then, using this token, they can update any user's 'wp_capabilities' meta data via the 'setUserMeta' action, which lacks proper restrictions, thereby gaining full administrative access.

Impact Analysis

This vulnerability allows unauthenticated attackers to escalate their privileges to administrator level on a WordPress site using the Barcode Scanner plugin. This means attackers can gain full control over the site, potentially leading to unauthorized data access, modification, deletion, or complete site takeover.

Compliance Impact

The vulnerability allows unauthenticated attackers to escalate their privileges to administrator level by exploiting insecure token-based authentication. This can lead to unauthorized access and modification of sensitive data within the WordPress environment.

Such unauthorized access and privilege escalation can result in violations of common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information to ensure confidentiality, integrity, and availability.

Therefore, this vulnerability poses a significant risk to compliance by potentially exposing sensitive user data and administrative controls to attackers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4880. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart