The Swings Wallet System for WooCommerce contains a broken access control vulnerability that permits unauthorized actions by low-privileged subscriber accounts.

This vulnerability involves a failure in access control, where a user with "Subscriber" level capabilities can perform functions reserved for higher-privileged accounts. The flaw indicates a missing capability check within the plugin’s logic, allowing for unauthorized escalation of privileges.

Broken access control can lead to the manipulation of financial data, unauthorized wallet balance adjustments, or access to sensitive user information. With a CVSS score of 7.1, the potential for financial fraud or data breach is substantial, necessitating prompt remediation to protect the integrity of the e-commerce platform.

Immediate Action: Update the Wallet System for WooCommerce plugin to the latest version provided by Swings to resolve the access control logic.

Proactive Monitoring: Review audit logs for suspicious activity originating from accounts with "Subscriber" roles, particularly actions related to wallet management.

Compensating Controls: Temporarily restrict access to plugin features or disable the plugin if an immediate update is not available and the risk to financial data is deemed unacceptable.

Public Exploit Available: false

Access control vulnerabilities are critical in e-commerce environments where financial assets are involved. Security teams should verify current plugin versions and strictly enforce the principle of least privilege while awaiting vendor patches.