Platform
wordpress
Component
barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Fixed in
1.11.1
1.12.0
CVE-2026-4880 is a privilege escalation vulnerability affecting the Barcode Scanner (+Mobile App) plugin for WordPress, used in inventory management, order fulfillment, and point-of-sale systems. This flaw allows unauthenticated attackers to gain elevated privileges by exploiting insecure token-based authentication and inadequate meta-key restrictions. The vulnerability impacts versions up to 1.11.0, but a patch is available in version 1.12.0.
The 'Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)' plugin for WordPress is vulnerable to privilege escalation due to insecure token-based authentication. Versions up to and including 1.11.0 are susceptible. The vulnerability stems from the plugin's trust in a Base64-encoded user ID within the 'token' parameter to identify users. Furthermore, valid authentication tokens are leaked through the 'barcodeScannerConfigs' action, and meta-key restrictions are lacking on the 'setUserMeta' act. This allows an attacker, potentially without elevated privileges, to gain unauthorized access to administrative functionalities or sensitive data within the inventory management, order fulfillment, and point-of-sale system, compromising data integrity and confidentiality.
An attacker could exploit this vulnerability by crafting a malicious authentication token containing a spoofed user ID. By submitting this token through the 'barcodeScannerConfigs' action, the attacker could obtain valid authentication tokens. With these tokens, they could then impersonate a legitimate user and perform unauthorized actions within the system, such as modifying inventory data, processing fraudulent orders, or accessing sensitive customer information. The lack of restrictions in 'setUserMeta' further exacerbates the risk, allowing for user metadata manipulation.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The solution to mitigate this vulnerability is to update the plugin to version 1.12.0 or higher. This version includes fixes addressing the insecure token-based authentication, token leakage, and lack of meta-key restrictions. It is recommended to perform this update immediately to protect your WordPress website and associated data. Additionally, review user permissions and plugin security configurations to ensure best security practices are applied. Regularly monitor website logs for suspicious activity.
Update to version 1.12.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
All versions of the 'Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)' plugin up to and including version 1.11.0 are vulnerable.
You can update the plugin through the WordPress admin dashboard. Go to 'Plugins' and click 'Update'. If the update is not available, check for updates on the plugin developer's website.
If you suspect your site has been compromised, immediately change all user passwords, review website logs for suspicious activity, and consider performing a comprehensive security audit.
Yes, you can implement additional security measures, such as enabling two-factor authentication, using strong passwords, and keeping all software updated.
You can find more information about this vulnerability in security vulnerability databases, such as the Common Vulnerabilities and Exposures (CVE) with the ID CVE-2026-4880.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.