How is CVE-2026-48868 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress site via HTTP or HTTPS from any internet connection. Authentication (not-required): No account, session, or credential of any kind is needed to send the malicious request. Victim interaction (not-required): The attacker triggers the vulnerability directly through their own request with no action required from a site user or administrator. Attack complexity (info): Exploit conditions are straightforward and reliable, requiring no race conditions, special memory layout, or environmental preconditions.

What is the impact of CVE-2026-48868?

Attacker reads order records or transaction data belonging to other customers of the WordPress store. Attacker reads personally identifiable details such as names, addresses, or email addresses stored in cart or order objects. No write or availability impact is indicated; data integrity and service uptime are not directly affected by this vulnerability.

Back to search

HIGHCVE-2026-48868Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48868: WordPress Simple Shopping Cart plugin <= 5.2.9 - Insecure Direct Object References (IDOR) vulnerability

Q: What is CVE-2026-48868?

An Insecure Direct Object Reference (IDOR) vulnerability affects the WordPress Simple Shopping Cart plugin at version 5.2.9 and earlier. The flaw is reachable over the network with no authentication required, meaning any internet user can send crafted requests to an affected WordPress site. Successful exploitation gives an attacker read access to data that should be protected, such as order records, customer details, or other objects managed by the plugin. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as the upstream maintainer publishes a fix.

Q: Is CVE-2026-48868 patched?

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer releases a remediated version.

Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An Insecure Direct Object Reference (IDOR) vulnerability affects the WordPress Simple Shopping Cart plugin at version 5.2.9 and earlier. The flaw is reachable over the network with no authentication required, meaning any internet user can send crafted requests to an affected WordPress site. Successful exploitation gives an attacker read access to data that should be protected, such as order records, customer details, or other objects managed by the plugin. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as the upstream maintainer publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-48868 is available across every HarborGuard environment. Images containing the Simple Shopping Cart plugin at an affected version are matched against the CVE within minutes of ingestion from upstream advisory feeds, including custom-built WordPress images.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector, with per-environment compliance policy weighting available to adjust priority based on exposure posture. Routing to the appropriate team inbox is available within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer releases a remediated version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress site via HTTP or HTTPS from any internet connection.
AuthenticationNot required
No account, session, or credential of any kind is needed to send the malicious request.
Victim interactionNot required
The attacker triggers the vulnerability directly through their own request with no action required from a site user or administrator.
Attack complexityDetail
Exploit conditions are straightforward and reliable, requiring no race conditions, special memory layout, or environmental preconditions.

Blast Radius

Attacker reads order records or transaction data belonging to other customers of the WordPress store.
Attacker reads personally identifiable details such as names, addresses, or email addresses stored in cart or order objects.
No write or availability impact is indicated; data integrity and service uptime are not directly affected by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all images in connected registries and CI pipelines, including custom WordPress images that bundle the Simple Shopping Cart plugin. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle. In the meantime, compensating controls are worth considering: network policy rules that restrict public access to vulnerable cart endpoints, web application firewall rules that block unauthenticated object-reference enumeration patterns, and egress filtering to limit what data paths are reachable from the plugin. For customers with auto-remediation enabled, a patched-image rebuild and a PR against affected workloads will be opened automatically the moment a fix version is published upstream, with no manual intervention needed.

See how HarborGuard automates this

Affected packages

mra13 / Team Tips and Tricks HQ / Simple Shopping Cart
≤ 5.2.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified