{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39701", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:16.464Z", "datePublished": "2026-04-08T08:30:46.861Z", "dateUpdated": "2026-04-08T08:30:46.861Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpshopify", "product": "ShopWP", "vendor": "Andrew", "versions": [{"lessThanOrEqual": "5.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:45.846Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ShopWP: from n/a through <= 5.2.4.</p>"}], "value": "Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:46.861Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpshopify/vulnerability/wordpress-shopwp-plugin-5-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress ShopWP plugin <= 5.2.4 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4."}], "id": "CVE-2026-39701", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:42.690", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpshopify/vulnerability/wordpress-shopwp-plugin-5-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ShopWP", "source": "cna", "vendor": "Andrew"}, "product": "shopwp", "vendor": "andrew"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:26:42.768684+00:00", "value": {"mitigation_remediation": ["Apply the latest ShopWP plugin update (5.2.5 or newer) obtained from the vendor or reputable source.", "If an update cannot be applied immediately, disable the ShopWP plugin or remove it from the WordPress installation to block any potential unauthorized access.", "Review and tighten WordPress user roles and permissions, ensuring that only authorized administrators can access plugin management features.", "Monitor site activity for signs of unauthorized use of shop functions and audit logs for unusual changes."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Andrew ShopWP plugin, also known as wpshopify, in any WordPress installation where the plugin is installed. All released versions up to and including 5.2.4 are impacted; newer releases are not listed as affected.", "description_and_impact": "Missing authorization in the ShopWP plugin for WordPress enables an attacker to bypass intended access controls. This broken access control flaw can allow a user who is not properly authenticated to perform actions or view data that should be restricted, including sensitive shop settings or transaction details. The weakness corresponds to the Common Weakness enumeration for Broken Access Control.", "risk_and_exploitability": "No CVSS or EPSS scores are provided, and the vulnerability is not listed in CISA\u2019s KEV catalog, limiting publicly available exploitation metrics. The attack vector is inferred to be via the web interface of a WordPress site using this plugin, exploiting improperly configured access controls. If an attacker gains access, they could read or alter shop functionality and data, potentially leading to unauthorized changes or data disclosure. The risk is considered moderate to high for sites using these versions, especially if default or weak administrative configurations are in place."}}}}, "created": "2026-04-08T19:27:33.731018+00:00", "updated": "2026-04-08T19:40:18.233615+00:00", "vendors": ["andrew", "andrew$PRODUCT$shopwp", "wordpress", "wordpress$PRODUCT$wordpress"]}