Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.8.
AnalysisAI
Unauthenticated access control bypass in Aarsiv Groups' a2z-fedex-shipping WordPress plugin (versions ≤5.1.8) allows remote attackers to exploit incorrectly configured authorization checks, enabling unauthorized viewing, modification, or disruption of FedEx shipping data and label generation. The vulnerability is categorized as automatable with partial technical impact per SSVC framework, though EPSS scoring indicates low observed exploitation probability (0.02%, 4th percentile). Patchstack reported this CWE-862 missing authorization flaw; no active exploitation confirmed via CISA KEV at time of analysis.
Technical ContextAI
This WordPress plugin (CPE: cpe:2.3:a:aarsiv_groups:automated_fedex_live/manual_rates_with_shipping_labels) integrates FedEx shipping rate calculation and label generation into WooCommerce or similar e-commerce platforms. The vulnerability stems from CWE-862 (Missing Authorization), where security checks on sensitive operations are absent or improperly implemented. In WordPress plugin architecture, this typically manifests when AJAX handlers, REST API endpoints, or administrative functions fail to validate user permissions before processing requests. The CVSS vector indicates network-accessible endpoints (AV:N) with no authentication requirements (PR:N) and low attack complexity (AC:L), suggesting that critical shipping operations - potentially including rate queries, label generation, or configuration changes - can be invoked without proper capability checks against WordPress user roles.
RemediationAI
Upgrade to a2z-fedex-shipping plugin version 5.1.9 or later if available, verifying the patched release through WordPress.org repository or vendor communication - note that available data confirms vulnerability through 5.1.8 but does not independently verify a specific patched version number, so consult Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/a2z-fedex-shipping/vulnerability/wordpress-automated-fedex-live-manual-rates-with-shipping-labels-plugin-5-1-8-broken-access-control-vulnerability for confirmed fix version before deployment. If immediate patching is not feasible, implement compensating controls: disable the plugin entirely if FedEx shipping is non-critical to business operations (eliminates attack surface but disrupts shipping workflow); restrict plugin functionality to authenticated administrator sessions only by adding capability checks in theme functions.php or via security plugin rules (reduces exposure but requires custom code maintenance); deploy WordPress application firewall rules to block unauthenticated POST/GET requests to plugin-specific AJAX actions and REST endpoints (effective mitigation but may cause false positives requiring tuning). Monitor WordPress access logs for unexpected requests to /wp-admin/admin-ajax.php or /wp-json/ paths containing 'fedex' or 'a2z' patterns as potential exploitation indicators.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15736
GHSA-56w7-56c6-q9m8