WordPress - Barcode Scanner (+mobile App) – Inventory Manager, Order Fulfillment System, Pos (point Of Sale) - CRITICAL - CVE-2026-4880. The Barcode Scanner plugin for WordPress is susceptible to a privilege escalation vulnerability due to improper token-based authentication. All versions up to and including 1.11.0 are affected, as the plugin relies on a user-supplied Base64-encoded user ID in the token parameter for user identification. This configuration allows unauthenticated attackers to spoof the admin user ID, compromising valid authentication tokens accessible via the 'barcodeScannerConfigs' action. Furthermore, due to the absence of meta-key restrictions on the 'setUserMeta' action, attackers can manipulate user capabilities, potentially elevating their privileges to become an administrator. Proper precautions and updates are vital to mitigate this security risk.