WordPress Plugin Vulnerabilities

MailerLite - WooCommerce integration < 3.1.4 - Missing Authorization to Data Deletion

Description

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.

Affects Plugins

Plugin icon
woo-mailerlite
Fixed in 3.1.4

References

CVE
CVE-2026-1000
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
515b061d-d67a-4c25-a3d9-7fa200e56a8a

Timeline

Publicly Published
2025-12-15 (about 4 months ago)
Added
2026-01-15 (about 3 months ago)
Last Updated
2026-01-16 (about 3 months ago)

Other

Published
Title
Published
2025-04-22
Title
Download Alt Text AI < 1.9.94 - Missing Authorization
Published
2023-11-13
Title
Ditty < 3.1.25 - Missing Authorization via save_ditty_permissions_check
Published
2024-04-04
Title
Classified Listing – Classified ads & Business Directory Plugin < 3.0.5 - Missing Authorization
Published
2025-12-31
Title
Wawp < 4.5 - Missing Authorization
Published
2025-06-27
Title
HurryTimer < 2.14.0 - Missing Authorization