{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24372", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.873Z", "datePublished": "2026-03-25T16:14:32.017Z", "dateUpdated": "2026-03-26T20:12:44.413Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "subscriptions-for-woocommerce", "product": "Subscriptions for WooCommerce", "vendor": "WP Swings", "versions": [{"changes": [{"at": "1.9.0", "status": "unaffected"}], "lessThanOrEqual": "<= 1.8.10", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:13.170Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.<p>This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.</p>"}], "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "Input Data Manipulation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:32.017Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability?_s_id=cve"}], "title": "WordPress Subscriptions for WooCommerce plugin <= 1.8.10 - Bypass Vulnerability vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T20:10:57.643401Z", "id": "CVE-2026-24372", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:12:44.413Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24372", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T20:10:57.643401Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:10:52.611Z"}}], "cna": {"title": "WordPress Subscriptions for WooCommerce plugin <= 1.8.10 - Bypass Vulnerability vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "Input Data Manipulation"}]}], "affected": [{"vendor": "WP Swings", "product": "Subscriptions for WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "1.9.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.8.10"}], "packageName": "subscriptions-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:13.170Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.<p>This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:32.017Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24372", "state": "PUBLISHED", "dateUpdated": "2026-03-26T20:12:44.413Z", "dateReserved": "2026-01-22T14:42:32.873Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:32.017Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n por suplantaci\u00f3n en WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce permite la manipulaci\u00f3n de datos de entrada. Este problema afecta a Subscriptions for WooCommerce: desde n/a hasta &lt;= 1.8.10."}], "id": "CVE-2026-24372", "lastModified": "2026-03-26T21:17:03.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:37.660", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/subscriptions-for-woocommerce/vulnerability/wordpress-subscriptions-for-woocommerce-plugin-1-8-10-bypass-vulnerability-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Subscriptions for WooCommerce", "source": "cna", "vendor": "WP Swings"}, "product": "subscriptions_for_woocommerce", "vendor": "wp_swings"}], "analysis": {"en": {"generated_at": "2026-03-25T19:04:19.213565+00:00", "value": {"mitigation_remediation": ["Upgrade the Subscriptions for WooCommerce plugin to a version newer than 1.8.10", "Verify that all plugin files match the official release and no unauthorized modifications exist", "Restrict administrative access to trusted IP addresses or enable two\u2011factor authentication for users with subscription\u2011management permissions", "Monitor server logs for unusual subscription activity or changes", "Perform a security review of the site to ensure no additional vulnerabilities are present"], "summary": {"action": "Immediate Patch", "impact": "Authentication spoofing bypass (unauthorized access)"}, "threat_synthesis": {"affected_systems": "All installations of the Subscriptions for WooCommerce plugin version 1.8.10 or earlier on WordPress sites are affected. Any site using the affected plugin within this version range is at risk.", "description_and_impact": "The WP Swings Subscriptions for WooCommerce plugin contains an authentication spoofing vulnerability that allows an attacker to forge credentials or manipulating input data to gain unauthorized access to subscription\u2011management functions. This flaw can lead to the creation, modification, or cancellation of customer subscriptions and may expose sensitive billing information. The weakness is classified as a credential spoofing flaw.", "risk_and_exploitability": "No CVSS or EPSS score is provided, and the vulnerability is not listed in the KEV catalog. Based on the description, the likely attack vector involves sending crafted HTTP requests to manipulate authentication data, which suggests the flaw is exploitable remotely from the public internet. The potential impact includes full access to subscription controls, making the risk potentially high if exploited; however, quantitative severity metrics are unavailable."}}}}, "created": "2026-03-25T21:34:47.880034+00:00", "updated": "2026-03-26T11:40:02.007153+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_swings", "wp_swings$PRODUCT$subscriptions_for_woocommerce"]}