CRITICALAi
Verified
Global

NVD CRITICAL: CVE-2026-4880 — The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system,...

·Source: NIST NVD

Updated:

Executive Summary

The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens th

Analysis

The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access. CVSS Score: 9.8. Published: 2026-04-16T00:16:29.393.

Indicators of Compromise (1)

CVE (1)
CVE-2026-4880
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on Apr 16, 2026. Verified by: NIST.

Related Threats

MEDIUMAi

White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology

A White House official said the administration is engaging with advanced AI labs about their models and the security of software. The post White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology appeared first on SecurityWeek .

SecurityWeek
MEDIUMAi

Anthropic’s Dario Amodei heads to White House amid hacking fears over Mythos

Ian Duncan and Cat Zakrzewski report: Anthropic chief executive Dario Amodei is set to meet White House Chief of Staff Susie Wiles on Friday, according to a person briefed on the plan, as the federal government races to understand the national security implications of a powerful new artificial intelligence model the company says it has... Source

DataBreaches.net
LOWAi

Moody’s agentic workflows land on AWS Marketplace

Moody’s Corporation (NYSE: MCO) today announced that its Moody’s Agentic Solutions (MAS) workflows are now available in AWS Marketplace.

Finextra