Missing authorization in Aarsiv Groups Automated FedEx live/manual rates with shipping labels plugin allows an attacker to trigger plugin functions without the required permissions. The vulnerability, classified as CWE‑862, permits unauthorized manipulation of shipping rate calculations and the creation of shipping labels. This could result in financial loss or fraud by providing shipping services without cost or by altering order fulfillment data, directly affecting the integrity and confidentiality of business operations.

All WordPress installations running Aarsiv Groups Automated FedEx live/manual rates with shipping labels plugin through version 5.1.8 are vulnerable. The issue applies to every release from the first available version up to and including 5.1.8. Sites that have upgraded beyond 5.1.8 or have not installed the plugin are not affected.

CVSS base score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attack executed over the web; the plugin's endpoints can be accessed without authentication, allowing an attacker to exploit the issue from anywhere with internet connectivity. The absence of authentication and the unrestricted access to the function expose the system to potential unauthorized changes, prompting a need for immediate remediation.