Missing Authentication Vulnerability in STRABL Checkout Solution Plugin for WordPress
CVE-2026-3640

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Strabl – A Checkout Solution
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-3640?

The STRABL plugin for WordPress, a checkout solution, is susceptible to a missing authentication vulnerability, allowing unauthorized access to a REST API endpoint. This weakness enables attackers to send unverified requests, executing a range of harmful actions such as creating fraudulent WooCommerce orders, altering existing order statuses, registering new WordPress user accounts, processing refunds, canceling orders, and imposing chargebacks without valid credentials or legitimate payment. The absence of authentication mechanisms, such as shared secrets or token-based verification, significantly raises the risk of exploitation.

Affected Version(s)

STRABL – A checkout solution 0 <= 4.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/strabl-a-check...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Mar 6, 2026

Credit

Teerachai Somprasong

CVE-2026-3640 Data

JSON