Description
Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the Rustaurius Order Tracking WordPress plugin permits an attacker to bypass normal access controls and view order data stored by the plugin. The weakness, identified as CWE‑862, allows access to order records without authentication, thereby compromising confidentiality of that data.

Affected Systems

The vulnerability affects the Rustaurius:Order Tracking plugin for WordPress. All releases from the initial version through version 3.4.3 are impacted.

Risk and Exploitability

The EPSS score is reported as under 1%, suggesting that exploitation is unlikely to be widespread. The issue is not listed in the CISA KEV catalog, indicating no known public exploitation. The CVSS score is 5.3, reflecting medium severity. Because the plugin is exposed via a WordPress site, the likely attack vector is a web request to a plugin endpoint, but the specific request format is not detailed in the advisory.

Generated by OpenCVE AI on April 29, 2026 at 11:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Order Tracking plugin to a version newer than 3.4.3 as soon as possible.
  • If an immediate update is not possible, restrict public access to order history pages so that only authorized administrators can view them.
  • Monitor web access logs for attempts to retrieve order data and apply rate limiting or IP blocking to mitigate repeated probing.

Generated by OpenCVE AI on April 29, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Rustaurius
Rustaurius order Tracking
Wordpress
Wordpress wordpress
Vendors & Products Rustaurius
Rustaurius order Tracking
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
Title WordPress Order Tracking plugin <= 3.4.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Rustaurius Order Tracking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.238Z

Reserved: 2026-04-07T10:48:50.116Z

Link: CVE-2026-39602

cve-icon Vulnrichment

Updated: 2026-04-13T18:19:58.465Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:29.340

Modified: 2026-04-29T10:17:30.110

Link: CVE-2026-39602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:00:11Z

Weaknesses