Missing Authorization vulnerability in cedcommerce Ship Per Product plugin allows an attacker to access functionality that should be protected by access control lists. The flaw permits use of privileged plugin features without the required permissions, potentially exposing sensitive configuration or data that the plugin handles. The primary impact is that an attacker could gain unauthorized access to plugin operations, which may include manipulation of shipping rules, order handling, or other e‑commerce processes. This constitutes an unauthorized access weakness and could be exploited to alter business logic or gain further foothold in the WordPress site.

The affected product is cedcommerce Ship Per Product for WordPress, versions up to and including 2.1.0. No other vendors or products are listed as impacted.

The CVSS score of 5.3 indicates a medium level of severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, further indicating that there are no widely known or active exploits. Likely attack vectors involve issuing crafted HTTP requests to the plugin’s endpoints while authenticated as a WordPress user, or exploiting the plugin through unauthenticated access if the plugin exposes any public interfaces. Because the flaw is a missing authorization check, the attacker simply needs to send requests that normally require higher privileges, which is straightforward to do once the web application is reachable.