CVE-2026-56013

License Manager for WooCommerce <= 3.0.15 - Unauthenticated Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.0.16
Patched in
7d
Time to patch

Description

The License Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.15 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform unauthorized actions.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.0.15
PublishedJune 19, 2026
Last updatedJune 25, 2026

What Changed in the Fix

Changes introduced in v3.0.16

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-56013 ## 1. Vulnerability Summary The **License Manager for WooCommerce** plugin (versions <= 3.0.15) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists in the plugin's REST API endpoints (specifically t…

Show full research plan

Exploitation Research Plan - CVE-2026-56013

1. Vulnerability Summary

The License Manager for WooCommerce plugin (versions <= 3.0.15) is vulnerable to an Unauthenticated Insecure Direct Object Reference (IDOR). The vulnerability exists in the plugin's REST API endpoints (specifically those related to Generators and Licenses) and potentially its global action handlers. Due to an insufficiently restrictive permission_callback in the RestController and missing authorization checks within specific endpoint callbacks (like deleteGenerator or updateGenerator), unauthenticated users can perform actions on resources (generators, licenses, or activations) by simply providing their ID.

2. Attack Vector Analysis

  • Endpoint: /wp-json/lmfwc/v2/generators/{generator_id} or /wp-json/lmfwc/v2/licenses/{license_id}
  • HTTP Methods: DELETE, PUT, or GET.
  • Payload Parameter: {generator_id} or {license_id} in the URL path.
  • Authentication: None (Unauthenticated).
  • Preconditions: The specific REST route must be enabled in the plugin settings (checked via isRouteEnabled). By default, many are enabled for functionality.

3. Code Flow

  1. Route Registration: In includes/Api/V2/Generators.php, the register_routes() method registers the DELETE method for `generators/(?P<

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.