CVE-2026-42654
Authentication Bypass via Alternate Path in Wallet System for WooCommerce
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_swings | wallet_system_for_woocommerce | to 2.7.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow a low-privileged user to escalate their privileges to admin level on a WordPress site using the affected plugin.
An attacker gaining admin access can control the website, modify content, steal sensitive data, install malicious code, or disrupt services.
Because of its high severity and ease of exploitation, it poses a significant risk of mass exploitation across thousands of websites.
Can you explain this vulnerability to me?
CVE-2026-42654 is a Broken Authentication vulnerability in the WordPress Wallet System for WooCommerce plugin, affecting versions 2.7.5 and below.
It allows attackers with low privileges, such as Subscribers, to bypass normal authentication controls and perform actions reserved for higher-privileged users, potentially gaining admin access.
This is achieved through an alternate path or channel that exploits the password recovery mechanism.
The vulnerability is classified under OWASP Top 10 A7 (Identification and Authentication Failures) and is considered highly dangerous.
What immediate steps should I take to mitigate this vulnerability?
Users of the WordPress Wallet System for WooCommerce Plugin versions 2.7.5 and below should immediately update to version 2.7.6, which contains the patch for this vulnerability.
Until the update is applied, it is strongly advised to implement the mitigation rule provided by Patchstack to block attacks exploiting this authentication bypass vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the WordPress Wallet System for WooCommerce Plugin allows low-privileged users to bypass authentication and potentially gain admin access. This type of broken authentication flaw can lead to unauthorized access to sensitive data, which may result in violations of data protection regulations such as GDPR and HIPAA.
Specifically, unauthorized access to personal or health-related data due to this vulnerability could compromise confidentiality and integrity requirements mandated by these standards, increasing the risk of non-compliance and potential legal consequences.