A broken access control vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels plugin allows an attacker to invoke plugin functions without the necessary permissions. Classified as CWE‑862, this flaw permits unauthorized manipulation of shipping rate calculations and creation of shipping labels, potentially enabling financial loss or fraud by providing shipping services without cost or by altering order fulfillment data, thereby affecting the integrity and confidentiality of business operations.

All WordPress installations running Aarsiv Groups Automated FedEx live/manual rates with shipping labels plugin through version 5.1.9 are vulnerable. The issue applies to every release from the first available version up to and including 5.1.9. Sites that have upgraded beyond 5.1.9 or have not installed the plugin are not affected.

CVSS base score of 7.3 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attack executed over the web; the plugin's endpoints can be accessed without authentication, allowing an attacker to exploit the issue from anywhere with internet connectivity. The absence of authentication and the unrestricted access to the function expose the system to potential unauthorized changes, prompting a need for immediate remediation.