The Small Package Quotes – Unishippers Edition plugin contains a missing authorization flaw that allows an attacker to bypass intended security controls. This broken access control, identified as CWE‑862, lets users reach administrative functions that should be protected by role checks. An attacker can view, modify, or delete shipping quotes and related configuration, potentially altering the site’s logistics and financial accuracy.

All releases of EnitureTechnology’s Small Package Quotes – Unishippers Edition plugin from the earliest version up to and including 2.4.9 are affected. The vulnerability specifically targets the plugin’s internal permission checks and is present on any WordPress environment that hosts one of these releases. No other platform or operating‑system dependencies are mentioned.

The CVSS score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in CISA KEV, meaning no confirmed public exploits are documented. An attacker would need to reach the plugin’s administrative endpoints, which can be accessed through a WordPress site, and may succeed with normal user credentials or, if role checks are entirely bypassed, even without authentication. The impact could include unauthorized disclosure of shipping data or manipulation of quotes and pricing.