Description
Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Sendcloud Shipping: from n/a through 1.0.29.
Published: 2026-07-02
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the Sendcloud Shipping plugin lets an attacker explore or manipulate shipping data without proper permissions. The flaw corresponds to an improper access control weakness, enabling users to potentially read or modify configuration settings that they should not have access to, which could undermine shipping workflow integrity and potentially leak sensitive information.

Affected Systems

The vulnerability affects the WordPress Sendcloud Shipping plugin in all releases up to and including version 1.0.29. The only vendor identified is Sendcloud, and the product is the Sendcloud Shipping plugin for WordPress.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and no EPSS score is available. The vulnerability is not currently listed in the CISA KEV catalog. Attackers are likely to exploit this weakness by sending crafted requests to the plugin’s administrative endpoints from a compromised or unauthenticated user account. How the attacker achieves this is inferred from the description of incorrect access control levels; the exact preconditions are not specified.

Generated by OpenCVE AI on July 2, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sendcloud Shipping plugin to the latest released version that resolves the access control flaw.
  • Limit administrative access to the plugin’s endpoints by configuring role‑based restrictions or firewall rules that permit requests only from authenticated administrators.
  • Review and tighten WordPress user roles so that only administrators have capabilities to modify shipping settings, and monitor server logs for suspicious access attempts.

Generated by OpenCVE AI on July 2, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29.
Title WordPress Sendcloud Shipping plugin <= 1.0.29 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:40:30.782Z

Reserved: 2026-06-25T08:04:41.580Z

Link: CVE-2026-57760

cve-icon Vulnrichment

Updated: 2026-07-02T12:40:28.045Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T17:45:03Z

Weaknesses