Privilege Escalation Vulnerability in Barcode Scanner Plugin for WordPress
CVE-2026-4880

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Barcode Scanner (+mobile App) – Inventory Manager, Order Fulfillment System, Pos (point Of Sale)
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-4880?

The Barcode Scanner plugin for WordPress is susceptible to a privilege escalation vulnerability due to improper token-based authentication. All versions up to and including 1.11.0 are affected, as the plugin relies on a user-supplied Base64-encoded user ID in the token parameter for user identification. This configuration allows unauthenticated attackers to spoof the admin user ID, compromising valid authentication tokens accessible via the 'barcodeScannerConfigs' action. Furthermore, due to the absence of meta-key restrictions on the 'setUserMeta' action, attackers can manipulate user capabilities, potentially elevating their privileges to become an administrator. Proper precautions and updates are vital to mitigate this security risk.

Affected Version(s)

Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) 0 <= 1.11.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/barcode-scanne...

https://plugins.trac.wordpress.org/changeset/3506824/barc...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 26, 2026

Credit

Jude Nwadinobi

CVE-2026-4880 Data

JSON