CVE-2026-4880 (GCVE-0-2026-4880)

Vulnerability from cvelistv5 – Published: 2026-04-15 23:25 – Updated: 2026-04-16 14:20
VLAI?
Title
Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication
Summary
The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
ukrsolution Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) Affected: 0 , ≤ 1.11.0 (semver)
Create a notification for this product.
Credits
Jude Nwadinobi
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4880",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-16T14:20:04.344282Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T14:20:50.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Barcode Scanner (+Mobile App) \u2013 Inventory manager, Order fulfillment system, POS (Point of Sale)",
          "vendor": "ukrsolution",
          "versions": [
            {
              "lessThanOrEqual": "1.11.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jude Nwadinobi"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Barcode Scanner (+Mobile App) \u2013 Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the \u0027barcodeScannerConfigs\u0027 action, and lacking meta-key restrictions on the \u0027setUserMeta\u0027 action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user\u0027s \u0027wp_capabilities\u0027 meta to gain full administrative access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T23:25:49.596Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/trunk/src/Core.php?rev=3391688#L498"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3506824/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders#file30"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-26T13:59:05.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-04-15T11:13:44.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Barcode Scanner (+Mobile App) \u003c= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4880",
    "datePublished": "2026-04-15T23:25:49.596Z",
    "dateReserved": "2026-03-26T07:10:23.272Z",
    "dateUpdated": "2026-04-16T14:20:50.654Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-4880",
      "date": "2026-04-16",
      "epss": "0.00119",
      "percentile": "0.30869"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-4880\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-04-16T00:16:29.393\",\"lastModified\":\"2026-04-16T00:16:29.393\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Barcode Scanner (+Mobile App) \u2013 Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the \u0027barcodeScannerConfigs\u0027 action, and lacking meta-key restrictions on the \u0027setUserMeta\u0027 action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user\u0027s \u0027wp_capabilities\u0027 meta to gain full administrative access.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/trunk/src/Core.php?rev=3391688#L498\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3506824/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders#file30\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-15T23:25:49.596Z\"}, \"affected\": [{\"vendor\": \"ukrsolution\", \"product\": \"Barcode Scanner (+Mobile App) \\u2013 Inventory manager, Order fulfillment system, POS (Point of Sale)\", \"versions\": [{\"version\": \"0\", \"status\": \"affected\", \"lessThanOrEqual\": \"1.11.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Barcode Scanner (+Mobile App) \\u2013 Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the \u0027barcodeScannerConfigs\u0027 action, and lacking meta-key restrictions on the \u0027setUserMeta\u0027 action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user\u0027s \u0027wp_capabilities\u0027 meta to gain full administrative access.\"}], \"title\": \"Barcode Scanner (+Mobile App) \u003c= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication\", \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/trunk/src/Core.php?rev=3391688#L498\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3506824/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders#file30\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-269 Improper Privilege Management\", \"cweId\": \"CWE-269\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\"}}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jude Nwadinobi\"}], \"timeline\": [{\"time\": \"2026-03-26T13:59:05.000Z\", \"lang\": \"en\", \"value\": \"Vendor Notified\"}, {\"time\": \"2026-04-15T11:13:44.000Z\", \"lang\": \"en\", \"value\": \"Disclosed\"}]}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-4880\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-16T14:20:04.344282Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-16T14:20:40.555Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-4880\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Wordfence\", \"dateReserved\": \"2026-03-26T07:10:23.272Z\", \"datePublished\": \"2026-04-15T23:25:49.596Z\", \"dateUpdated\": \"2026-04-16T14:20:50.654Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.