Description
Missing Authorization vulnerability in AfterShip & Automizely AfterShip Tracking aftership-woocommerce-tracking allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AfterShip Tracking: from n/a through <= 1.17.17.
Published: 2025-08-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the AfterShip Tracking plugin allows unauthorized users to invoke functions that should be restricted, potentially exposing confidential shipping information and permitting manipulation of tracking entries. This flaw enables attackers to read or modify data intended for legitimate staff, thereby compromising confidentiality and integrity. The vulnerability is a broken access control, classified as CWE‑862, and can affect any user who can reach the plugin’s endpoints without the proper role checks.

Affected Systems

WordPress sites that employ the AfterShip Tracking plugin, from the earliest release through version 1.17.17. The plugin is distributed by AfterShip and Automizely. Any instance of the plugin within this version range is susceptible unless additional access restrictions have been applied manually.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate impact. The EPSS score of less than 1% suggests a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is sending crafted HTTP requests to exposed plugin endpoints by an attacker with network access, without requiring advanced skills. Consequently, the overall risk is moderate, particularly for installations that expose the plugin to external users or handle sensitive logistics data.

Generated by OpenCVE AI on April 30, 2026 at 08:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AfterShip Tracking plugin to a version newer than 1.17.17.
  • If an update is not yet available, restrict access to the plugin’s pages by assigning only the required WordPress roles and capabilities, ensuring that unauthorized users cannot reach the endpoints.
  • Disable the plugin entirely until an official patch is released.
  • Monitor server logs for suspicious requests to the plugin’s endpoints and review user roles for unintended privileges.

Generated by OpenCVE AI on April 30, 2026 at 08:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25929 Missing Authorization vulnerability in AfterShip & Automizely AfterShip Tracking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AfterShip Tracking: from n/a through 1.17.17.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in AfterShip &amp; Automizely AfterShip Tracking aftership-woocommerce-tracking allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AfterShip Tracking: from n/a through <= 1.17.17. Missing Authorization vulnerability in AfterShip & Automizely AfterShip Tracking aftership-woocommerce-tracking allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AfterShip Tracking: from n/a through <= 1.17.17.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in AfterShip & Automizely AfterShip Tracking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AfterShip Tracking: from n/a through 1.17.17. Missing Authorization vulnerability in AfterShip &amp; Automizely AfterShip Tracking aftership-woocommerce-tracking allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AfterShip Tracking: from n/a through <= 1.17.17.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 28 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Aftership & Automizely
Aftership & Automizely aftership Tracking
Wordpress
Wordpress wordpress
Vendors & Products Aftership & Automizely
Aftership & Automizely aftership Tracking
Wordpress
Wordpress wordpress

Wed, 27 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in AfterShip & Automizely AfterShip Tracking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AfterShip Tracking: from n/a through 1.17.17.
Title WordPress AfterShip Tracking Plugin <= 1.17.17 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Aftership & Automizely Aftership Tracking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:41.769Z

Reserved: 2025-08-27T16:18:58.324Z

Link: CVE-2025-58201

cve-icon Vulnrichment

Updated: 2025-08-27T18:29:18.104Z

cve-icon NVD

Status : Deferred

Published: 2025-08-27T18:15:47.840

Modified: 2026-04-28T19:34:04.313

Link: CVE-2025-58201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:32Z

Weaknesses