Description
Missing Authorization vulnerability in Özgür KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch Immediately
AI Analysis

Impact

A missing authorization flaw in the Kargo Takip WordPress plugin removes critical access controls, allowing a user to view or modify protected data managed by the plugin. The weakness, identified as CWE‑862, does not grant execution privileges but directly undermines data confidentiality and integrity by letting an attacker bypass legitimate authentication checks.

Affected Systems

All releases of the Kargo Takip plugin distributed by Özgür KARALAR, specifically versions prior to 0.2.4, are affected. WordPress sites installing the plugin before this version are at risk, as the vulnerability applies to every non‑patched instance of the add‑on.

Risk and Exploitability

The core exploit score of 6.5 indicates medium severity. The EPSS score is less than 1%, suggesting that the vulnerability is unlikely to see widespread exploitation currently. The flaw is not included in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, the attack vector is likely remote, through crafted HTTP requests to the plugin’s endpoints, and does not require elevated privileges beyond the ability to reach those URLs.

Generated by OpenCVE AI on March 26, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Kargo Takip to version 0.2.4 or later
  • If an update is not immediately possible, restrict access to the plugin’s administrative pages by assigning the least privilege role to users
  • Monitor WordPress admin logs for unusual access to the plugin’s URLs
  • Verify that any custom role permissions do not allow actions beyond intended scopes

Generated by OpenCVE AI on March 26, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Özgür Karalar
Özgür Karalar kargo Takip
Vendors & Products Wordpress
Wordpress wordpress
Özgür Karalar
Özgür Karalar kargo Takip

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Özgür KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4.
Title WordPress Kargo Takip plugin < 0.2.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Özgür Karalar Kargo Takip
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.191Z

Reserved: 2026-02-02T12:52:55.300Z

Link: CVE-2026-25365

cve-icon Vulnrichment

Updated: 2026-03-26T16:32:14.750Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:47.420

Modified: 2026-04-23T15:37:06.027

Link: CVE-2026-25365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:54Z

Weaknesses