CVE-2026-4880 - Barcode Scanner Lite Pos To Manage Products Inventory And Orders Plugin
CVE-2026-4880
The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.
CVE-2026-4880
CRITICAL
CVSS 9.8
Published 2026-04-16
Updated 2026-04-22
AI Risk Critical (100/100)
Active Exploit: No strong signal
Published Exploit: No public exploit references
Priority: P1 Immediate
Severity Band
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Components
2
Reference Links
3
AI Risk Engine
Critical (100/100)
Exploitability
Very High
Active Exploitation
No strong signal
Published Exploit Status
No public exploit references
AI Context
Machine-generated threat intelligence
AI
Updated 11 days ago
AI enriched 11 days ago (2026-04-16 23:45 UTC)
Technical Summary
The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their…
Potential Impact
Severity is CRITICAL (CVSS 9.8). Depending on deployment context, affected components may be exposed to unauthorized actions or data integrity risk.
Exploitability Assessment
Exploitability is assessed as Very High based on remote code execution potential, low-bar exploit prerequisites.
Primary risk drivers: remote code execution potential, low-bar exploit prerequisites
Mitigation Recommendations
Validate affected product versions, prioritize patching, and monitor references for vendor remediation guidance. If immediate patching is not possible, apply compensating controls and limit exposure of vulnerable surfaces.
Detection & Monitoring
Track authentication anomalies, unexpected file writes, and suspicious plugin API activity around affected components.
Business Impact Lens
AI risk score 100/100 (Critical, Very High) with priority P1 Immediate. Prioritize remediation where affected components process customer data, admin sessions, or Internet-exposed workflows.
