Impact
Missing authorization in the Sendcloud Shipping plugin lets an attacker explore or manipulate shipping data without proper permissions. The flaw corresponds to an improper access control weakness, enabling users to potentially read or modify configuration settings that they should not have access to, which could undermine shipping workflow integrity and potentially leak sensitive information.
Affected Systems
The vulnerability affects the WordPress Sendcloud Shipping plugin in all releases up to and including version 1.0.29. The only vendor identified is Sendcloud, and the product is the Sendcloud Shipping plugin for WordPress.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity, and no EPSS score is available. The vulnerability is not currently listed in the CISA KEV catalog. Attackers are likely to exploit this weakness by sending crafted requests to the plugin’s administrative endpoints from a compromised or unauthenticated user account. How the attacker achieves this is inferred from the description of incorrect access control levels; the exact preconditions are not specified.
OpenCVE Enrichment