Description
Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.1.0.
Published: 2025-09-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing Authorization vulnerability lets attackers bypass correctly configured access controls within the Order Delivery Date for WooCommerce plugin. An attacker who can submit requests as a logged‑in user may view or alter order delivery dates and other order settings, compromising order integrity and potentially causing incorrect shipping schedules. The weakness falls under CWE‑862, a missing authorization flaw.

Affected Systems

The flaw affects any installation of the tychesoftwares Order Delivery Date for WooCommerce plugin through version 4.1.0, including older releases that were never updated. The vulnerability may be present in all environments where the plugin is active, regardless of the WordPress site domain.

Risk and Exploitability

The CVSS score of 4.3 classifies this as Medium severity, and an EPSS score of less than 1% suggests exploitation is unlikely in the wild, which is reinforced by its absence from KEV. The attack is likely carried out via the plugin's web interface or API endpoints, with the inference that it requires only that the user be authenticated but lacks sufficient privileges. An attacker could use this to change delivery dates or access restricted order data, causing business process disruption but not critical system compromise.

Generated by OpenCVE AI on April 30, 2026 at 07:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Order Delivery Date for WooCommerce release, version 4.1.1 or later.
  • If an upgrade cannot be performed immediately, reconfigure the plugin to restrict its management functionality to administrator accounts only, and verify that non‑admin users cannot reach those endpoints.
  • Audit the WordPress user roles and capabilities to ensure that only authorized personnel are granted permissions to edit orders and delivery dates, and revoke any excessive privileges.

Generated by OpenCVE AI on April 30, 2026 at 07:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26567 Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Delivery Date for WooCommerce: from n/a through 4.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Delivery Date for WooCommerce: from n/a through 4.1.0. Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.1.0.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Tychesoftwares
Tychesoftwares order Delivery Date For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Tychesoftwares
Tychesoftwares order Delivery Date For Woocommerce
Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Delivery Date for WooCommerce: from n/a through 4.1.0.
Title WordPress Order Delivery Date for WooCommerce Plugin <= 4.1.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Tychesoftwares Order Delivery Date For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:40:05.911Z

Reserved: 2025-09-03T09:02:27.116Z

Link: CVE-2025-58599

cve-icon Vulnrichment

Updated: 2025-09-03T17:38:55.584Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:40.860

Modified: 2026-04-23T15:33:26.170

Link: CVE-2025-58599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:30:31Z

Weaknesses