CVE-2026-42654
Deferred Deferred - Pending Action
Authentication Bypass via Alternate Path in Wallet System for WooCommerce

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Patchstack

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Swings Wallet System for WooCommerce allows Password Recovery Exploitation. This issue affects Wallet System for WooCommerce: from n/a through 2.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-42654
EUVD
EUVD-2026-33947
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_swings wallet_system_for_woocommerce to 2.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42654 is a Broken Authentication vulnerability in the WordPress Wallet System for WooCommerce plugin, affecting versions 2.7.5 and below.

It allows attackers with low privileges, such as Subscribers, to bypass normal authentication controls and perform actions reserved for higher-privileged users, potentially gaining admin access.

This is achieved through an alternate path or channel that exploits the password recovery mechanism.

The vulnerability is classified under OWASP Top 10 A7 (Identification and Authentication Failures) and is considered highly dangerous.

Compliance Impact

The vulnerability in the WordPress Wallet System for WooCommerce Plugin allows low-privileged users to bypass authentication and potentially gain admin access. This type of broken authentication flaw can lead to unauthorized access to sensitive data, which may result in violations of data protection regulations such as GDPR and HIPAA.

Specifically, unauthorized access to personal or health-related data due to this vulnerability could compromise confidentiality and integrity requirements mandated by these standards, increasing the risk of non-compliance and potential legal consequences.

Impact Analysis

This vulnerability can allow a low-privileged user to escalate their privileges to admin level on a WordPress site using the affected plugin.

An attacker gaining admin access can control the website, modify content, steal sensitive data, install malicious code, or disrupt services.

Because of its high severity and ease of exploitation, it poses a significant risk of mass exploitation across thousands of websites.

Mitigation Strategies

Users of the WordPress Wallet System for WooCommerce Plugin versions 2.7.5 and below should immediately update to version 2.7.6, which contains the patch for this vulnerability.

Until the update is applied, it is strongly advised to implement the mitigation rule provided by Patchstack to block attacks exploiting this authentication bypass vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart