PatchSiren cyber security CVE debrief
CVE-2022-41656 Bizswoop CVE debrief
CVE-2022-41656 documents a Missing Authorization vulnerability in the Account Manager for WooCommerce WordPress plugin. The vulnerability allows exploitation of incorrectly configured access control security levels, affecting versions from n/a through 2.1.2. The issue was published to the CVE List on 2026-05-27 and carries a CVSS 3.1 score of 4.3 (MEDIUM severity), with the vector indicating network attack vector, low attack complexity, low privileges required, no user interaction, and low confidentiality impact. The vulnerability is classified under CWE-862 (Missing Authorization). The affected plugin is developed by Bizswoop and integrates with WooCommerce to provide account management functionality. The NVD entry currently shows a status of 'Deferred'. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Bizswoop
- Product
- Account Manager for WooCommerce
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators running WooCommerce with the Account Manager for WooCommerce plugin installed; security teams monitoring plugin vulnerabilities in e-commerce environments; developers maintaining custom integrations with this plugin
Technical summary
The Account Manager for WooCommerce plugin fails to properly enforce authorization checks, allowing authenticated users with low privileges to access functionality or data that should be restricted to higher-privileged accounts. The vulnerability stems from incorrectly configured access control security levels (CWE-862). With a CVSS score of 4.3, the issue presents moderate risk primarily to confidentiality, with no direct impact to integrity or availability. The attack requires network access and valid low-privilege credentials but no user interaction.
Defensive priority
medium
Recommended defensive actions
- Review WordPress installations for Account Manager for WooCommerce plugin versions 2.1.2 and earlier
- Upgrade to a patched version of Account Manager for WooCommerce if available
- Implement principle of least privilege for WordPress user accounts
- Monitor access logs for unauthorized account management operations
- Consider Web Application Firewall rules to restrict access to plugin administrative functions
Evidence notes
Vulnerability details sourced from NVD modified feed with Patchstack reference. CVSS vector confirms network-accessible attack with authentication required. Vendor identification marked as low confidence requiring review due to 'Unknown Vendor' classification in source data.
Official resources
-
CVE-2022-41656 CVE record
CVE.org
-
CVE-2022-41656 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-27T17:16:27.567Z