CVE-2026-52711
Deferred Deferred - Pending Action

Unauthenticated Broken Access Control in WooCommerce POS

Vulnerability report for CVE-2026-52711, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Patchstack

Description

Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woocommerce woocommerce_pos to 1.8.14|start_including=1.9.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the unauthenticated Broken Access Control vulnerability in WooCommerce POS affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability affects WooCommerce POS Plugin versions 1.8.14 and below, allowing unauthenticated attackers to perform privileged actions due to missing authorization checks.

To detect if your system is vulnerable, first verify the installed WooCommerce POS plugin version. You can do this by checking the plugin version in the WordPress admin dashboard or by inspecting the plugin files directly.

From the command line, you can check the plugin version by running commands like:

  • grep -i 'Version' wp-content/plugins/woocommerce-pos/readme.txt
  • wp plugin list --status=active | grep woocommerce-pos

If the version is 1.8.14 or below, your system is vulnerable.

Additionally, monitoring network traffic for suspicious requests targeting WooCommerce POS endpoints without authentication could help detect exploitation attempts. However, specific detection commands or signatures are not provided.

Until you update to version 1.9.0 or later, applying mitigation rules from Patchstack to block attacks is recommended.

Executive Summary

CVE-2026-52711 is a Broken Access Control vulnerability in the WordPress WooCommerce POS Plugin versions 1.8.14 and below.

This flaw allows unauthenticated attackers to perform privileged actions because the plugin lacks proper authorization checks.

In other words, attackers do not need to log in or have any permissions to exploit this vulnerability and carry out actions that should be restricted.

Impact Analysis

This vulnerability poses a significant risk as it allows attackers to perform privileged actions without authentication.

Such unauthorized actions can compromise the security and integrity of your WooCommerce POS system.

Because the vulnerability is actively dangerous and may be exploited in mass campaigns targeting thousands of websites, it can lead to unauthorized access, data manipulation, or other malicious activities.

Immediate action, such as updating the plugin to version 1.9.0 or later, is strongly recommended to mitigate this risk.

Mitigation Strategies

Immediate action is recommended to mitigate this vulnerability.

  • Update the WooCommerce POS plugin to version 1.9.0 or later.
  • Seek assistance from your hosting provider or a developer if you cannot update immediately.
  • Apply the mitigation rule offered by Patchstack to block attacks until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52711. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart