CVE-2026-61952 MEDIUM

CVE-2026-61952: WordPress WooCommerce Bulk Edit Products – WP Sheet Editor plugin <= 1.8.21 - Broken Access Control vulnerability

Vendor Jose Vega
Product WooCommerce Bulk Edit Products – WP Sheet Editor
Weakness CWE-862 · Missing authorization
Published July 13, 2026
Last update July 13, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products – WP Sheet Editor: from n/a through <= 1.8.21.

Explanation of Vulnerability in Simple Terms

02Summary

WooCommerce Bulk Edit Products – WP Sheet Editor versions up to 1.8.21 lack proper authorization checks on certain administrative functions. A high-privileged user (such as a site administrator) can modify product data without proper permission validation. This allows unauthorized changes to product information within the scope of their role.

What an attacker can do

03Attacker Capabilities

Modify product data without proper authorization checks.

Potential impact on your site

04Site Impact

Administrators or high-privileged users can alter product information beyond their intended scope.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative privileges on the WordPress site.

Key dates

06Disclosure timeline

July 13, 2026 CVE published
July 13, 2026 Record updated

Related vulnerabilities

08Related CVE