Description
Missing Authorization vulnerability in Octolize Shipping Plugins Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through <= 1.9.11.
Published: 2025-11-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Cart Weight for WooCommerce arises from a missing authorization check, which allows an attacker to manipulate shipping weight settings. This broken access control can lead to incorrect shipping cost calculation, potentially resulting in financial loss or customer dissatisfaction. The flaw is classified as CWE-862: Missing Authorization.

Affected Systems

Affects the Octolize Shipping Plugins Cart Weight for WooCommerce plugin for versions 1.9.11 and earlier. Users running any of these versions should consider them vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score below 1% suggests a low likelihood of exploitation at this time. The attack vector is inferred to be remote, via authenticated or unauthenticated requests to the plugin’s admin interface, possibly exploiting insufficient permission checks. The vulnerability is not listed in CISA KEV.

Generated by OpenCVE AI on April 29, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 1.9.12 or newer, which removes the missing authorization check.
  • Restrict administrative access to the weight configuration page, ensuring only trusted users can modify settings.
  • Disable the Cart Weight plugin if shipping weight calculations are not required.

Generated by OpenCVE AI on April 29, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in octolize Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through <= 1.9.11. Missing Authorization vulnerability in Octolize Shipping Plugins Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through <= 1.9.11.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 02 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Octolize
Octolize cart Weight For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Octolize
Octolize cart Weight For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in octolize Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through <= 1.9.11.
Title WordPress Cart Weight for WooCommerce plugin <= 1.9.11 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Octolize Cart Weight For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:17.074Z

Reserved: 2025-11-21T11:21:20.344Z

Link: CVE-2025-66109

cve-icon Vulnrichment

Updated: 2025-12-02T14:47:32.433Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:52.470

Modified: 2026-04-27T18:16:36.120

Link: CVE-2025-66109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:00:18Z

Weaknesses