How is CVE-2026-42654 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via standard HTTP/HTTPS. Authentication (required): Any low-privilege account (such as a standard WooCommerce customer account) is sufficient to reach the vulnerable password recovery code path. Victim interaction (not-required): No victim action is needed; the attacker drives the exploit entirely from their own session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-42654?

Attacker can hijack or reset account credentials for other users by abusing the alternate password recovery channel, effectively taking over targeted accounts. Attacker can modify wallet balances or transaction records within WooCommerce, enabling fraudulent credits or unauthorized fund transfers. Attacker gains limited read access to account data exposed during the authentication bypass flow, such as registered email addresses or order references. Availability is not impacted; the service remains operational while the attacker operates covertly.

Back to search

HIGHCVE-2026-42654Published 2026-06-02Modified 2026-06-02CNA Patchstack

CVE-2026-42654: WordPress Wallet System for WooCommerce plugin <= 2.7.5 - Broken Authentication vulnerability

Q: What is CVE-2026-42654?

Broken authentication vulnerability in the Wallet System for WooCommerce WordPress plugin (versions up to and including 2.7.5) allows a remote attacker with a low-privilege account to exploit an alternate password recovery path or channel to bypass normal authentication controls. The attack is reachable over the network and requires no victim interaction. Successful exploitation gives the attacker high integrity impact, meaning they can modify wallet balances, transaction records, or account settings beyond their authorized scope, while also gaining limited read access to sensitive data. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.

Q: Is CVE-2026-42654 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WP Swings publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once the upstream fix exists.

Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Swings Wallet System for WooCommerce allows Password Recovery Exploitation. This issue affects Wallet System for WooCommerce: from n/a through 2.7.5.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Broken authentication vulnerability in the Wallet System for WooCommerce WordPress plugin (versions up to and including 2.7.5) allows a remote attacker with a low-privilege account to exploit an alternate password recovery path or channel to bypass normal authentication controls. The attack is reachable over the network and requires no victim interaction. Successful exploitation gives the attacker high integrity impact, meaning they can modify wallet balances, transaction records, or account settings beyond their authorized scope, while also gaining limited read access to sensitive data. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-42654 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress or WooCommerce images carrying this plugin. Any image containing an affected version of the Wallet System for WooCommerce plugin at or below 2.7.5 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on their configured triage rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WP Swings publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once the upstream fix exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via standard HTTP/HTTPS.
AuthenticationRequired
Any low-privilege account (such as a standard WooCommerce customer account) is sufficient to reach the vulnerable password recovery code path.
Victim interactionNot required
No victim action is needed; the attacker drives the exploit entirely from their own session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Attacker can hijack or reset account credentials for other users by abusing the alternate password recovery channel, effectively taking over targeted accounts.
Attacker can modify wallet balances or transaction records within WooCommerce, enabling fraudulent credits or unauthorized fund transfers.
Attacker gains limited read access to account data exposed during the authentication bypass flow, such as registered email addresses or order references.
Availability is not impacted; the service remains operational while the attacker operates covertly.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously with no upstream fix currently published. Because no patched version exists, HarborGuard monitors the Patchstack advisory and WP Swings release feed on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is released. In the meantime, compensating controls are worth considering: network-policy rules can restrict unauthenticated or low-privilege access to the WordPress password recovery endpoints, WAF rules can block exploitation patterns against the alternate recovery channel, and teams can evaluate temporarily disabling the wallet plugin on high-value storefronts until a patch is available. HarborGuard surfaces the finding with CVSS 7.1 HIGH scoring and routes it according to each environment's compliance policy so the right team can act without manual triage.

See how HarborGuard automates this

Affected packages

WP Swings / Wallet System for WooCommerce
≤ 2.7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References

patchstack.com

Metrics

Get notified