What the vulnerability does
01Description
Missing Authorization vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UpsellWP: from n/a through <= 2.2.5.
Explanation of Vulnerability in Simple Terms
02Summary
UpsellWP versions 2.2.5 and earlier lack proper authorization checks, allowing authenticated users to access sensitive information they should not be able to view. An attacker with a low-privilege account can read data intended for higher-privilege users. The vulnerability requires valid login credentials but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Read sensitive data belonging to other users or restricted areas of the site.
Potential impact on your site
04Site Impact
User data and site information may be exposed to authenticated attackers with minimal account privileges.
Conditions required to exploit
05Prerequisites
Valid login account with low-level privileges; network access to the site.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 28, 2026
Record updated