The vulnerability is a missing authorization flaw that allows users to access plugin functionality not properly constrained by access control lists. The flaw could enable unauthorized users to invoke shipping‑related actions, potentially exposing sensitive data or performing unauthorized operations. The weakness is classified as CWE‑862 and is reflected in a CVSS score of 5.3. Because the flaw is not known to be actively exploited, the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog.

WordPress sites that use the official Sendle Shipping plugin (Joovii Sendle Shipping). All releases from the initial version up to and including version 6.02 are potentially impacted. This includes any site that has the plugin installed in those versions.

Attackers can exploit the flaw without special credentials, using publicly reachable plugin endpoints. Because the vulnerability requires only standard site access, the risk is moderate, however the very low EPSS score suggests that active exploitation is unlikely at present. The CVSS score of 5.3 indicates a medium severity impact, with potential for confidentiality or integrity compromise if privilege escalation succeeds. No exploitation activity has been reported, and the vulnerability is not yet in the KEV catalog.