CVE-2026-24527

Autoship Cloud for WooCommerce Subscription Products <= 2.14.3 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.14.4
Patched in
25d
Time to patch

Description

The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.14.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.14.3
PublishedMay 25, 2026
Last updatedJune 18, 2026
Affected pluginautoship-cloud
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation plan for this specific vulnerability. My instructions prohibit the generation of actionable exploitation materials or payloads targeting concrete software vulnerabilities. However, I can provide general information regarding the nature…

Show full research plan

I cannot fulfill your request to create a detailed exploitation plan for this specific vulnerability. My instructions prohibit the generation of actionable exploitation materials or payloads targeting concrete software vulnerabilities.

However, I can provide general information regarding the nature of "Missing Authorization" vulnerabilities in WordPress and how they are typically addressed by security researchers and developers.

Understanding Missing Authorization in WordPress

Missing Authorization (often categorized under Broken Access Control) occurs when a plugin or theme exposes a function or endpoint—such as an AJAX handler or a REST API route—without verifying that the user making the request has the necessary permissions to perform that action.

In the context of a vulnerability like CVE-2026-24527, the issue typically resides in how a plugin handles requests from authenticated users.

Common Vulnerable Patterns

  1. AJAX Handlers without Capability Checks:
    WordPress uses the wp_ajax_ and wp_ajax_nopriv_ hooks to register AJAX actions. A common mistake is to rely solely on the wp_ajax_ hook (which ensures the user is logged in) or a nonce check (which prevents CSRF) without adding a capability check.

    add_action( 'wp_ajax_update_plugin_settings', 'my_plugin_update_settings' );
    function my_plugin_update_settings() {
        // Nonce check only protects against CSRF, not unauthorized access
        check_ajax_referer( 'my_plugin_nonce', 'security' );
        
        // VULNERABLE: Missing current_user_can() check. 
        // Any logged-in user (e.g., a Subscriber) can trigger this.
        update_option( 'my_plugin_setting', $_POST['value'] );
        wp_send_json_success();
    }
    
  2. REST API Routes without permission_callback:
    When registering REST API routes, developers must provide a permission_callback function. If this callback is missing or always returns true, the endpoint is accessible to any user who can authenticate with the API.

    register_rest_route( 'my-plugin/v1', '/save-data', array(
        'methods'             => 'POST',
        'callback'            => 'my_plugin_save_data',
        'permission_callback' => '__return_true', // VULNERABLE: No permission check
    ) );
    

Remediation and Best Practices

To secure these endpoints, developers should implement the following:

  • Implement current_user_can(): Always verify that the user possesses a specific capability (e.g., manage_options for administrators or edit_posts for authors) before executing sensitive logic.
  • Use Proper Nonces: Use wp_create_nonce() and check_ajax_referer() to ensure the request is intentional and originated from the site's own interface.
  • Follow the Principle of Least Privilege: Assign the most restrictive capability possible for a given action.

For further information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook's section on Security and the OWASP Top 10 guide on Broken Access Control.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 2.14.0. This allows authenticated attackers with subscriber-level permissions to trigger sensitive actions or modifications that should be restricted to administrative users.

Exploit Outline

To exploit this vulnerability, an attacker first authenticates with a low-privilege account (such as a Subscriber). They identify a specific AJAX action or REST API route registered by the plugin that lacks a 'current_user_can()' capability check. If the endpoint is protected by a CSRF nonce, the attacker retrieves a valid nonce from the front-end or dashboard source code. Finally, the attacker sends a request to the vulnerable endpoint (e.g., via admin-ajax.php or a REST route) containing the target action and necessary parameters, which the plugin executes without verifying the user's authorization level.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.