A missing authorization check in the Ship Depot for WooCommerce plugin allows users to perform administrative actions with lower privileges. The flaw stems from incorrectly configured access control on backend endpoints that should be restricted to authorized personnel, enabling exploitation of privileged functions. Based on the description, it is inferred that the vulnerability can be abused by authenticated users with limited roles to trigger higher‑privilege actions, compromising the integrity of configuration data and potentially jeopardizing site availability.

WordPress installations that include the Ship Depot for WooCommerce plugin version 1.2.19 or earlier are impacted. The vulnerability exists across all WordPress deployments of the plugin within this version range until an updated release is applied.

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of <1% suggests a low likelihood of exploitation in the wild. The flaw is not listed in CISA KEV. The likely attack vector is through authenticated users exploiting unprotected backend endpoints. Based on the description, it is inferred that attackers need to authenticate with a user role that has limited permissions but can reach the plugin’s management endpoints; from there, the unchecked authorization allows them to elevate privileges or execute actions intended for administrators. The lack of immediate exploitation evidence and low EPSS reduce urgency, yet the potential for abuse warrants remediation.