CVE-2026-52711: WordPress WooCommerce POS plugin <= 1.8.14 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the WooCommerce POS WordPress plugin at version 1.8.14 and earlier. The flaw is reachable over the network without any authentication, meaning an attacker only needs HTTP access to the target WordPress site. Successful exploitation exposes sensitive data stored by the plugin, with no ability to modify or destroy data based on the CVSS impact scoring. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as one is released.
HarborGuard Coverage
Detection for CVE-2026-52711 is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images containing the WooCommerce POS plugin at an affected version.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights that score against each customer environment's compliance policy. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be opened without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress site over the network via HTTP/HTTPS; no local or physical access is needed.
- AuthenticationNot required
No account or session credentials are needed; the attacker can send unauthenticated requests directly to the affected endpoint.
- Victim interactionNot required
No user action, click, or social engineering is required to trigger the vulnerability.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required.
Blast Radius
- An attacker reads confidential data stored or exposed by the WooCommerce POS plugin, which may include point-of-sale transaction records, order details, or customer information.
- Data integrity is not affected based on the CVSS impact scoring; the attacker cannot modify or delete stored records through this vulnerability.
- Service availability is not affected; the plugin and WordPress site continue operating normally during and after exploitation.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active against all customer images containing the WooCommerce POS plugin at an affected version, with matching occurring within minutes of the advisory being ingested from Patchstack. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment kilbot ships a remediated release. In the meantime, compensating controls available to customers include applying network-policy isolation to restrict inbound access to WordPress admin and POS endpoints, configuring egress filtering to limit the plugin's outbound reach, and using feature-flag or plugin-management tooling to disable the WooCommerce POS plugin on images where it is not operationally required. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is published upstream.
- kilbot / WooCommerce POS≤ 1.8.14
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N