Skip to main content

Shiptime CVE-2026-39672

| EUVDEUVD-2026-20350 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-hg3m-8jw2-j2h2
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20350
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in shiptime ShipTime: Discounted Shipping Rates shiptime-discount-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShipTime: Discounted Shipping Rates: from n/a through <= 1.1.1.

AnalysisAI

Missing authorization in ShipTime: Discounted Shipping Rates WordPress plugin (versions ≤1.1.1) allows unauthenticated remote attackers to access sensitive shipping rate information and configuration via incorrectly configured access control, resulting in limited confidentiality compromise. CVSS 5.3 with 0.02% EPSS indicates low real-world exploitation probability despite network-accessible attack vector. CISA SSVC framework rates this as non-exploited with partial technical impact, suggesting this is a configuration weakness rather than an actively weaponized vulnerability.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a foundational access control flaw where the application fails to verify user permissions before granting access to protected resources. The affected product is the ShipTime: Discounted Shipping Rates WordPress plugin (CPE: cpe:2.3:a:shiptime:shiptime:_discounted_shipping_rates:*:*:*:*:*:*:*:*), which likely exposes shipping discount configuration endpoints or API methods without proper authentication or role-based access control checks. This is typical of WordPress plugins where REST API or AJAX endpoints lack nonce validation or capability checks, allowing an unauthenticated attacker over the network to enumerate or modify shipping rate data that should be restricted to authenticated administrators.

RemediationAI

Update ShipTime: Discounted Shipping Rates plugin to version 1.1.2 or later, which should include authorization checks to restrict access to shipping rate configuration and sensitive endpoints to authenticated administrators only. WordPress administrators should navigate to Plugins > Installed Plugins, locate ShipTime: Discounted Shipping Rates, and click 'Update Now' if an update is available. Additionally, review plugin REST API endpoints or AJAX handlers using security plugins or code review to confirm nonce validation and capability checking (e.g., current_user_can('manage_options')) are enforced. Refer to the Patchstack vulnerability database entry for specific technical remediation details and vendor patch status.

Share

CVE-2026-39672 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy