{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24372", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.873Z", "datePublished": "2026-03-25T16:14:32.017Z", "dateUpdated": "2026-04-29T09:51:56.675Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "subscriptions-for-woocommerce", "product": "Subscriptions for WooCommerce", "vendor": "WP Swings", "versions": [{"changes": [{"at": "1.9.0", "status": "unaffected"}], "lessThanOrEqual": "1.8.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:25.849Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.<p>This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.</p>"}], "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:56.675Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability?_s_id=cve"}], "title": "WordPress Subscriptions for WooCommerce plugin <= 1.8.10 - Bypass Vulnerability vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T20:10:57.643401Z", "id": "CVE-2026-24372", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:12:44.413Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24372", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T20:10:57.643401Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:10:52.611Z"}}], "cna": {"title": "WordPress Subscriptions for WooCommerce plugin <= 1.8.10 - Bypass Vulnerability vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "Input Data Manipulation"}]}], "affected": [{"vendor": "WP Swings", "product": "Subscriptions for WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "1.9.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.8.10"}], "packageName": "subscriptions-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:25.849Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.<p>This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.005Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24372", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:14:05.005Z", "dateReserved": "2026-01-22T14:42:32.873Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:32.017Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n por suplantaci\u00f3n en WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce permite la manipulaci\u00f3n de datos de entrada. Este problema afecta a Subscriptions for WooCommerce: desde n/a hasta &lt;= 1.8.10."}], "id": "CVE-2026-24372", "lastModified": "2026-04-29T10:16:53.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:37.660", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Subscriptions for WooCommerce", "source": "cna", "vendor": "WP Swings"}, "product": "subscriptions_for_woocommerce", "vendor": "wp_swings"}], "analysis": {"en": {"generated_at": "2026-03-26T23:24:15.447870+00:00", "value": {"mitigation_remediation": ["Update WP Swings Subscriptions for WooCommerce to a version newer than 1.8.10 as soon as possible.", "If an update cannot be deployed immediately, block public access to all subscription\u2011related URLs and enforce strict authentication for any remaining functionality.", "Review and audit subscription activity logs for unauthorized changes and investigate any suspicious events promptly."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass / Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the WP Swings Subscriptions for WooCommerce plugin at version 1.8.10 or earlier are vulnerable. The issue applies to all releases from the earliest available build up to and including the 1.8.10 release. Any site running a version in this range will have the authentication bypass until updated.", "description_and_impact": "The vulnerability allows an actor to forge authentication credentials, enabling them to view and modify subscription data that should be restricted to administrators. This type of flaw, classified as a credential\u2011spoofing bypass, can expose sensitive customer information and potentially allow the creation, cancellation, or alteration of subscriptions without proper authority, thereby undermining the integrity and confidentiality of subscription data.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.5, indicating a high level of risk. Its EPSS score is reported to be below 1\u202f%, denoting a low probability of exploitation in the wild, and it is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves submitting specially crafted HTTP requests to the plugin\u2019s endpoints that masquerade as legitimate administrative actions. An attacker with network-level access to the WordPress environment, even with minimal credentials, can exploit this weakness to manipulate subscription data."}}}}, "created": "2026-03-25T21:34:47.880034+00:00", "updated": "2026-03-27T09:46:28.086652+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_swings", "wp_swings$PRODUCT$subscriptions_for_woocommerce"]}