Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
UpsellWP: Insecure Access Control in Checkout Allows Unauthorized Actions
CVE-2026-25419
Summary
The UpsellWP plugin's checkout feature has a security issue that allows unauthorized access to certain areas. This could potentially allow an attacker to make changes to orders or access sensitive information. To fix this, update to the latest version of UpsellWP (2.2.4 or later) or restrict access to sensitive areas through your website's access control settings.
Original title
Missing Authorization vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UpsellWP: from n/a...
Original description
Missing Authorization vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UpsellWP: from n/a through <= 2.2.3.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026