Description
Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check within the eshipper eShipper Commerce WordPress plugin. Attackers can bypass normal role or capability restrictions, allowing them to view or modify sensitive shipment configuration data and alter shipping rules, thereby compromising the integrity of eCommerce operations. This issue is categorized as a broken access control flaw (CWE‑862).

Affected Systems

Any site running the eShipper Commerce plugin from eshipper, in a version equal to or older than 2.16.12, is affected. Users should verify the plugin version and upgrade if necessary.

Risk and Exploitability

The EPSS score is below 1 %, indicating a low likelihood of exploitation in the wild. The CVSS score is 5.3, indicating a medium severity vulnerability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers likely exploit the flaw by sending HTTP requests to plugin‑controlled administrative endpoints that lack proper authorization checks, which may be reachable with minimal credentials or even without authentication depending on site configuration.

Generated by OpenCVE AI on April 29, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official plugin update to any release newer than 2.16.12.
  • Restrict administrative access to the plugin’s endpoints so that only authenticated users with the necessary capabilities can reach them.
  • Monitor accesses to the plugin’s administrative endpoints for anomalous activity and log any unauthorized attempts.

Generated by OpenCVE AI on April 29, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Eshipper
Eshipper eshipper Commerce
Wordpress
Wordpress wordpress
Vendors & Products Eshipper
Eshipper eshipper Commerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.
Title WordPress eShipper Commerce plugin <= 2.16.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Eshipper Eshipper Commerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.378Z

Reserved: 2026-04-07T10:58:10.483Z

Link: CVE-2026-39689

cve-icon Vulnrichment

Updated: 2026-04-13T18:18:31.039Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:40.937

Modified: 2026-04-29T10:17:40.863

Link: CVE-2026-39689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:00:06Z

Weaknesses