How is CVE-2026-39470 exploited?

Network reachability (required): The attacker must reach the WordPress or WooCommerce HTTP endpoint over the network to deliver the exploit request. Authentication (required): A shop manager account (an admin or privileged role within WooCommerce) is required before the escalation can be triggered. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker acts entirely on their own once authenticated. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other variable environmental factors.

What is the impact of CVE-2026-39470?

Attacker reads any data accessible to the escalated privilege level, including order records, customer PII, and stored payment metadata. Attacker modifies site configuration, product listings, pricing, or order data with the elevated account's write permissions. Attacker can disrupt site availability or disable plugin functionality by altering settings that the escalated role controls. Full confidentiality, integrity, and availability impact is possible once privilege escalation succeeds, given CVSS C:H/I:H/A:H scoring.

Back to search

HIGHCVE-2026-39470Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39470: WordPress WooCommerce Cart Abandonment Recovery plugin < 2.1.0 - Privilege Escalation vulnerability

Q: What is CVE-2026-39470?

A privilege escalation vulnerability exists in the WooCommerce Cart Abandonment Recovery plugin by Brainstorm Force, affecting all versions before 2.1.0. The flaw is reachable over the network but requires an authenticated session with shop manager-level (admin/privileged) credentials, meaning an attacker must already hold a shop manager account to exploit it. Successful exploitation allows the attacker to escalate their privileges beyond the shop manager role, gaining the ability to read, modify, or disrupt any data the elevated account can access. A patched-image rebuild at version 2.1.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-39470 fixed?

A patched-image rebuild at version 2.1.0 becomes available on HarborGuard for any image found to carry an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test pass, and opens a PR against affected workloads automatically.

Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: 2.1.0
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in the WooCommerce Cart Abandonment Recovery plugin by Brainstorm Force, affecting all versions before 2.1.0. The flaw is reachable over the network but requires an authenticated session with shop manager-level (admin/privileged) credentials, meaning an attacker must already hold a shop manager account to exploit it. Successful exploitation allows the attacker to escalate their privileges beyond the shop manager role, gaining the ability to read, modify, or disrupt any data the elevated account can access. A patched-image rebuild at version 2.1.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-39470 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built WordPress or WooCommerce images that bundle this plugin.

Available

Triage

Triage is available with the CVE scored at CVSS 7.2 HIGH, weighted against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at version 2.1.0 becomes available on HarborGuard for any image found to carry an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress or WooCommerce HTTP endpoint over the network to deliver the exploit request.
AuthenticationRequired
A shop manager account (an admin or privileged role within WooCommerce) is required before the escalation can be triggered.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker acts entirely on their own once authenticated.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other variable environmental factors.

Blast Radius

Attacker reads any data accessible to the escalated privilege level, including order records, customer PII, and stored payment metadata.
Attacker modifies site configuration, product listings, pricing, or order data with the elevated account's write permissions.
Attacker can disrupt site availability or disable plugin functionality by altering settings that the escalated role controls.
Full confidentiality, integrity, and availability impact is possible once privilege escalation succeeds, given CVSS C:H/I:H/A:H scoring.

How HarborGuard Handles This

Available on HarborGuard: images containing WooCommerce Cart Abandonment Recovery below version 2.1.0 are flagged automatically as this CVE is matched on each ingest cycle. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the 2.1.0 fix version, runs a regression test suite, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is routed to the designated team inbox with full CVSS context and a direct reference to the Patchstack advisory so approvers have the detail needed to act quickly. Customers who cannot immediately rebuild are advised to restrict shop manager account creation and review existing shop manager accounts for signs of unauthorized access while the patched image is staged.

See how HarborGuard automates this

Fix available

2.1.0

Affected packages

Brainstorm Force / WooCommerce Cart Abandonment Recovery
< 2.1.0 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available