A critical privilege escalation vulnerability in the Barcode Scanner plugin allows unauthenticated attackers to gain full administrative access.

The plugin utilizes insecure, user-supplied Base64-encoded user IDs to identify authentication tokens. This allows unauthenticated attackers to spoof user IDs, leak valid tokens, and modify user metadata to elevate their privileges to administrator.

With a CVSS score of 9.8, the impact is catastrophic, as it leads to full administrative takeover of the WordPress instance. This allows for data exfiltration, malware injection, and complete control over the site's configuration.

Immediate Action: Update to the latest version of the Barcode Scanner plugin. If no patch is available, deactivate and remove the plugin immediately.

Proactive Monitoring: Review user accounts for unauthorized additions or changes to administrative roles.

Compensating Controls: Use a Web Application Firewall (WAF) to block suspicious requests targeting the 'barcodeScannerConfigs' and 'setUserMeta' actions.

Public Exploit Available: Unknown

This vulnerability represents an extreme risk to site integrity. Administrators should treat this as a high-priority incident and move to remediate or disable the affected component immediately.