Description
Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Order Information
Action: Immediate Patch
AI Analysis

Impact

An unauthorized access vulnerability exists in the Rustaurius Order Tracking WordPress plugin up to version 3.4.3. The flaw is a missing authorization check that allows any visitor to retrieve detailed order information. Exposing such data can compromise customer privacy, undermine business confidentiality, and potentially lead to financial damage if the information is misused.

Affected Systems

All installations of the Rustaurius Order Tracking plugin with a version number 3.4.3 or earlier are affected. The plugin is widely deployed on WordPress sites that process customer orders. The advisory indicates that newer releases should contain a fix, though no specific patch version is cited.

Risk and Exploitability

No publicly listed severity score is available, yet the absence of an access control check suggests a high risk of exploitation. Based on the description, it is inferred that an attacker can reach vulnerable plugin endpoints from anywhere on the web, bypassing authentication to read order data. This could be performed by unauthenticated users or users with limited privileges, exposing sensitive transaction details to anyone who can trigger the flaw.

Generated by OpenCVE AI on April 8, 2026 at 10:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Rustaurius Order Tracking plugin to the latest version that addresses the missing authorization flaw (e.g., 3.5 or newer).
  • Confirm that the updated plugin enforces proper role checks so that only authorized users can view order information.
  • If an update cannot be applied immediately, deactivate or uninstall the plugin to remove the access path.
  • Audit site logs for any unauthorized access attempts to order data and consider tightening general WordPress permissions or deploying a web application firewall.

Generated by OpenCVE AI on April 8, 2026 at 10:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Rustaurius
Rustaurius order Tracking
Wordpress
Wordpress wordpress
Vendors & Products Rustaurius
Rustaurius order Tracking
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
Title WordPress Order Tracking plugin <= 3.4.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Rustaurius Order Tracking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:21.845Z

Reserved: 2026-04-07T10:48:50.116Z

Link: CVE-2026-39602

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:29.340

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:16Z

Weaknesses