CVE-2026-4880

CVE-2026-4880 is a privilege escalation vulnerability in the Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress, affecting all versions up to and including 1.11.0. The issue arises from insecure token-based authentication, where the plugin trusts a user-supplied Base64-encoded user ID in the token parameter to identify users. It also leaks valid authentication tokens through the 'barcodeScannerConfigs' action and lacks meta-key restrictions on the 'setUserMeta' action. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity. By spoofing an administrator's user ID, they can trigger the 'barcodeScannerConfigs' action to leak a valid authentication token. Attackers then use this token with the unrestricted 'setUserMeta' action to modify any user's 'wp_capabilities' meta key, granting themselves full administrative privileges on the targeted WordPress site.

Advisories and patches are detailed in the provided references. The Wordfence threat intelligence report (https://www.wordfence.com/threat-intel/vulnerabilities/id/a213e844-a0d3-4123-9f72-caef7702804c?source=cve) covers the vulnerability. WordPress plugin trac shows the vulnerable code in Core.php (https://plugins.trac.wordpress.org/browser/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/trunk/src/Core.php?rev=3391688#L498) and a related changeset (https://plugins.trac.wordpress.org/changeset/3506824/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders#file30), indicating fixes applied in later versions.