CVE-2026-4880

Name of the Vulnerable Software and Affected Versions Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress versions prior to 1.11.1

Description Insecure token-based authentication allows unauthenticated attackers to escalate privileges to administrator. The issue stems from the plugin trusting a user-supplied Base64-encoded user ID within the token parameter to identify users. Additionally, valid authentication tokens are leaked through the 'barcodeScannerConfigs' action, and the 'setUserMeta' action lacks meta-key restrictions. An attacker can spoof an administrator user ID to leak their authentication token and subsequently use that token to update the wp capabilities meta of any user to gain full administrative access.

Recommendations Update to a version newer than 1.11.0.