The vulnerability is a missing authorization flaw that allows actors to access plugin endpoints that should be restricted. Because the plugin functions manage shipping configurations, an attacker can read or change settings that affect cost calculations or delivery options. This weakness is identified as CWE‑862, where improper enforcement of access controls enables elevated privileges and can lead to unauthorized configuration changes and potential financial impact.

The affected product is the Bring Fraktguiden for WooCommerce WordPress plugin from any earlier version through 1.11.4. Users who have installed this plugin on a WordPress site that also uses WooCommerce are at risk. No specific operating system or server configuration is required; the flaw exists purely in the WordPress plugin code.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that active exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the web application interface, where an attacker who can reach the plugin’s endpoints—cognizant of their presence—may exploit the lack of authorization to gain unauthorized control over shipping settings. The attack would require network access to the WordPress site, and may not require a pre‑existing authenticated session if the exposed endpoints are publicly reachable.