The reported flaw is a missing authorization issue in the Order Delivery Date for WooCommerce plugin that allows attackers to exploit incorrectly configured access control security levels. This weakness can enable an attacker to read and manipulate order delivery dates and potentially other order details that should be protected by the platform’s role restrictions, thereby compromising the integrity of the order processing workflow.

The vulnerability impacts the tychesoftwares Order Delivery Date for WooCommerce plugin versions from the initial release through 4.3.1. Sites running WordPress installations with any of these plugin versions are affected.

The CVSS score of 5.4 indicates a moderate severity, with an EPSS score of less than 1% suggesting the vulnerability is not widely targeted at present and it is not listed in the CISA KEV catalog. The likely attack vector is remote, via the publicly exposed web interface of the plugin, and an adversary could exploit the broken access control by submitting crafted requests to endpoints that normally require higher‑level permissions. The low EPSS and absence from KEV suggest current exploitation risk is modest, but the potential for unauthorized modification of order data warrants prompt action.