The vulnerability in the Wetail WooCommerce Fortnox Integration plugin allows an attacker to bypass proper authorization checks and gain unauthorized access to administrative functions of the plugin. The flaw is a classic broken access control problem (CWE-862) that could let an attacker perform any action that the plugin’s highest-privileged features permit, such as managing integration settings or viewing sensitive financial data. No amplification or escalation is required beyond the initial exploit; the impact is direct on confidentiality and integrity of the shop’s integration data.

Systems running the WooCommerce Fortnox Integration plugin up to and including version 4.5.5 are affected. The plugin is distributed by Wetail and integrates WooCommerce with the Fortnox accounting system. The issue applies to all installations of the plugin where the access controls are not explicitly configured to limit functionality to administrators.

The CVSS score of 5.4 indicates medium severity. The very low EPSS score (<1%) suggests that exploitation is unlikely at this time. The vulnerability is not listed in the CISA KEV catalog, meaning no known widespread exploits. An attacker who can reach the plugin’s administrative interface may be able to perform unauthorized actions due to the missing authorization checks.