The Shiprocket plugin for WordPress contains an Insecure Direct Object Reference (IDOR) flaw that allows an attacker to craft requests with incorrect user-controlled keys, thereby bypassing authorization checks and accessing data or functionalities reserved for other users. This vulnerability stems from improperly configured access control levels and can result in the disclosure or manipulation of confidential information. The weakness is classified as CWE‑639, indicating a flaw where authorization is granted based on user-supplied input rather than legitimate checks.

Shiprocket Shiprocket for WordPress has been affected in all releases from the initial release through version 2.0.8. Users running any of these versions are vulnerable until they upgrade.

With a CVSS score of 7.5, the vulnerability is considered high severity. The EPSS score is less than 1%, meaning the likelihood of exploitation at the time of this analysis is low, and it is not listed in CISA's KEV catalog. The likely attack path involves sending crafted HTTP requests that reference object identifiers, and the flaw can be exploited even without authentication if an attacker is able to guess or craft the correct key values. While the exploitation probability remains modest, organizations should treat the issue as a serious authorization problem that could lead to data exposure.