Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.
AnalysisAI
A missing authorization vulnerability exists in Arni Cinco WPCargo Track & Trace WordPress plugin through version 8.0.2, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit sensitive functionality. This broken access control flaw (CWE-862) affects all installations of the plugin up to and including version 8.0.2, enabling unauthenticated or low-privileged attackers to access resources or perform actions they should not be permitted to execute. The vulnerability was reported by Patchstack and has been tracked under ENISA EUVD ID EUVD-2026-15715.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to properly validate user permissions before granting access to sensitive operations or data. In the context of WPCargo Track & Trace (identified via CPE cpe:2.3:a:arni_cinco:wpcargo_track_&_trace:*:*:*:*:*:*:*:*), this plugin—which provides shipment tracking and tracing functionality for WordPress e-commerce environments—does not implement adequate authorization checks on its API endpoints, administrative functions, or database queries. The plugin likely uses WordPress's standard authentication mechanisms (wp_verify_nonce, user role checks) but fails to enforce them consistently across all entry points, particularly in areas handling sensitive shipment data, customer information, or administrative configuration settings.
RemediationAI
Upgrade the WPCargo Track & Trace plugin to a version later than 8.0.2 immediately upon availability of a patched release from Arni Cinco (consult the vendor security advisory via Patchstack for the specific patch version). Until a patch is available, implement compensating controls by disabling the plugin if it is not critical to operations, or restrict access to WPCargo-related pages and API endpoints via WordPress user role restrictions and network-level IP whitelisting to trusted administrator and fulfillment staff only. Additionally, review WordPress access logs and database query logs for suspicious access patterns to tracking and shipment data, and consider implementing a Web Application Firewall (WAF) rule to block unauthorized requests to known WPCargo administrative endpoints. Monitor the Patchstack advisory regularly for patch availability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15715