Impact
The vulnerability is an unauthenticated IDOR that allows an attacker to access or modify resources they should not be able to reach. The flaw arises from insufficient checks on user‑supplied identifiers, permitting read/write of shipping details or other sensitive data related to the WooCommerce plugin. As a result, an attacker can obtain private information about customers or alter order details, compromising confidentiality and integrity.
Affected Systems
The affected product is the WordPress plugin 'Colissimo Officiel : Méthodes de livraison pour WooCommerce', versions 2.9.0 and earlier. Any site running these versions on WordPress may be impacted.
Risk and Exploitability
The CVSS score of 6.5 indicates a medium severity, and the lack of an EPSS score or KEV listing suggests no current public exploitation. The flaw is unauthenticated, meaning exploitation does not require a known account and can be performed by any user who can reach the plugin's endpoints. Attackers could target the public‑facing shop or attempt brute‑force requests to discover valid identifiers. The overall risk is moderate, but mitigation is recommended promptly.
OpenCVE Enrichment