Description
Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.
Published: 2025-03-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an Authorization flaw that permits Insecure Direct Object References (IDOR). An attacker can manipulate request parameters to reference objects outside the intended scope, potentially exposing data that should be restricted. The weakness is identified by CWE-862, indicating improper authentication or authorization controls. This flaw can lead to confidentiality violations, allowing an adversary to retrieve or modify data that should be protected from the unauthenticated or improperly authenticated user.

Affected Systems

The affected product is WPCargo Track & Trace developed by Arni Cinco. Versions from the beginning up to and including 8.0.2 are impacted. Users who have installed any of these versions of the plugin should verify which release they are running and plan a remediation path.

Risk and Exploitability

The CVSS score of 4.3 places this vulnerability in the low to moderate severity range. The EPSS score of less than 1% indicates that exploitation is unlikely but not impossible. It is not listed in the CISA KEV catalog. The likely attack vector is remote, whereby a user with knowledge of the underlying object identifiers crafts requests to access unauthorized resources. There is no requirement for elevated privileges beyond standard user access, which may make the attack relatively easy if the user can observe or guess IDs. However, because the EPSS is very low and the overall severity is moderate, the immediate risk to an organization is limited unless the plugin handles highly sensitive data.

Generated by OpenCVE AI on May 2, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPCargo Track & Trace to version 8.0.3 or later to eliminate the IDOR flaw.
  • If an upgrade is not possible, restrict access to the plugin’s administration pages by assigning the minimal user roles required to use its features or by applying server‑side access controls such as .htaccess rules.
  • Implement logging and monitoring for failed or suspicious attempts to access plugin endpoints, and review logs regularly for signs of IDOR exploitation attempts.

Generated by OpenCVE AI on May 2, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8782 Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPCargo Track & Trace: from n/a through 7.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPCargo Track & Trace: from n/a through 7.0.6. Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.
Title WordPress WPCargo Track & Trace plugin <= 7.0.6 - Insecure Direct Object References (IDOR) vulnerability WordPress WPCargo Track & Trace plugin <= 8.0.2 - Insecure Direct Object References (IDOR) vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 31 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 13:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPCargo Track & Trace: from n/a through 7.0.6.
Title WordPress WPCargo Track & Trace plugin <= 7.0.6 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:10.348Z

Reserved: 2025-03-31T10:06:10.341Z

Link: CVE-2025-31609

cve-icon Vulnrichment

Updated: 2025-03-31T13:43:51.874Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T13:15:54.983

Modified: 2026-04-23T15:28:04.147

Link: CVE-2025-31609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:00:13Z

Weaknesses