CVE-2026-4880
Published: 16 April 2026
Summary
CVE-2026-4880 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege to directly prevent unauthorized privilege escalation via modification of wp_capabilities meta key.
Mandates enforcement of approved authorizations, blocking unrestricted access to sensitive actions like setUserMeta and barcodeScannerConfigs.
Requires secure management of authenticators like tokens to prevent leakage through actions and spoofing via user-supplied Base64-encoded user IDs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) enables privilege escalation to administrator via token leakage and user capability modification (T1068).
NVD Description
The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the…
more
plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.
Deeper analysisAI
CVE-2026-4880 is a privilege escalation vulnerability in the Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress, affecting all versions up to and including 1.11.0. The issue arises from insecure token-based authentication, where the plugin trusts a user-supplied Base64-encoded user ID in the token parameter to identify users. It also leaks valid authentication tokens through the 'barcodeScannerConfigs' action and lacks meta-key restrictions on the 'setUserMeta' action. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity. By spoofing an administrator's user ID, they can trigger the 'barcodeScannerConfigs' action to leak a valid authentication token. Attackers then use this token with the unrestricted 'setUserMeta' action to modify any user's 'wp_capabilities' meta key, granting themselves full administrative privileges on the targeted WordPress site.
Advisories and patches are detailed in the provided references. The Wordfence threat intelligence report (https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=cve) covers the vulnerability. WordPress plugin trac shows the vulnerable code in Core.php (https://plugins.trac.wordpress.org/browser/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/trunk/src/Core.php?rev=3391688#L498) and a related changeset (https://plugins.trac.wordpress.org/changeset/3506824/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders#file30), indicating fixes applied in later versions.
Details
- CWE(s)