CVE-2026-49071
Deferred Deferred - Pending Action
Unauthenticated Broken Authentication in WooCommerce Dropshipping

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-49071
EUVD
EUVD-2026-37614
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
woocommerce woocommerce_dropshipping to 5.2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress WooCommerce Dropshipping Plugin, versions 5.2.4 and below, contains a Broken Authentication vulnerability identified as CVE-2026-49071.

This flaw allows unauthenticated attackers to perform actions that are normally restricted to higher-privileged users, potentially gaining admin access to the website.

It is classified under the OWASP Top 10 category A7: Identification and Authentication Failures.

Impact Analysis

This vulnerability can have serious impacts as it allows unauthenticated attackers to gain administrative access to affected websites.

With admin access, attackers can manipulate website data, compromise user information, and disrupt normal operations.

The vulnerability is considered highly dangerous and is expected to be exploited in mass campaigns targeting thousands of websites.

Immediate action such as updating the plugin to version 5.2.5 or later, or applying mitigation rules, is required to reduce the risk.

Mitigation Strategies

Immediate action is required to mitigate the risk of this vulnerability.

  • Update the WooCommerce Dropshipping plugin to version 5.2.5 or later.
  • Apply the mitigation rule provided by Patchstack to block attacks until the plugin is updated.
Compliance Impact

The vulnerability allows unauthenticated attackers to perform actions typically restricted to higher-privileged users, potentially gaining admin access to the website.

Such unauthorized access could lead to exposure or manipulation of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Detection Guidance

This vulnerability affects WooCommerce Dropshipping Plugin versions 5.2.4 and below, allowing unauthenticated attackers to perform privileged actions. Detection typically involves monitoring for unauthorized access attempts or suspicious HTTP requests targeting the plugin endpoints.

Since the vulnerability is related to broken authentication, you can look for unusual POST or GET requests to the WooCommerce Dropshipping plugin URLs that attempt to perform admin-level actions without proper authentication.

Specific commands to detect exploitation attempts might include using web server logs or network traffic analysis tools to filter requests. For example, using grep on Apache or Nginx logs to find suspicious access patterns:

  • grep -i 'woocommerce-dropshipping' /var/log/apache2/access.log | grep -E 'POST|GET'
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'woocommerce-dropshipping'

Additionally, applying the mitigation rule provided by Patchstack can help block attack attempts until the plugin is updated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart