Skip to main content

Printeers Print & Ship EUVDEUVD-2025-210034

| CVE-2025-52766 MEDIUM
Missing Authorization (CWE-862)
2026-06-02 Patchstack GHSA-p3mf-c3pv-c9mr
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 10:22 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Printeers Printeers Print & Ship allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Printeers Print & Ship: from n/a through 1.17.0.

AnalysisAI

Missing Authorization in the Printeers Print & Ship WordPress plugin (versions through 1.17.0) allows authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles, resulting in high-integrity impact against affected WordPress sites. The flaw is classified under CWE-862 and reported by Patchstack as an incorrectly configured access control security level, meaning the plugin fails to enforce proper capability checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the moderate-priority tier for WordPress site operators running the affected plugin.

Technical ContextAI

The affected product is the Printeers Print & Ship WordPress plugin (CPE: cpe:2.3:a:printeers:printeers_print_&_ship:*:*:*:*:*:*:*:*), a plugin used to manage print-on-demand fulfillment and shipping workflows within WordPress/WooCommerce environments. CWE-862 (Missing Authorization) is the root cause class, indicating that the plugin's code invokes privileged functionality without first verifying that the requesting user holds the necessary WordPress capability (e.g., via current_user_can() or equivalent checks). WordPress access control relies on a role-capability model; when a plugin registers AJAX handlers, REST API endpoints, or admin-page actions without gating them behind appropriate capability checks, any authenticated user - including low-trust roles like Subscriber or Customer - can invoke those functions. The Patchstack-assigned tag 'Authentication Bypass' further suggests the access control misconfiguration allows privilege escalation beyond what the user's assigned role should permit.

RemediationAI

Update the Printeers Print & Ship plugin to a version released after 1.17.0 once a patched release is confirmed available; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/invition-print-ship/vulnerability/wordpress-printeers-print-ship-plugin-1-17-0-broken-access-control-vulnerability for the confirmed fix version, which is not explicitly stated in the currently available input data. As a compensating control, if the plugin cannot be updated immediately, restrict WordPress user registration to trusted roles only - disabling open subscriber or customer registration eliminates the low-privileged attacker foothold required by this vulnerability (PR:L). Additionally, a Web Application Firewall with WordPress-specific rulesets (e.g., Patchstack's virtual patching) can block exploitation attempts at the network layer without modifying the plugin. Note that restricting user registration may impact legitimate WooCommerce customer workflows and should be weighed against business impact.

Share

EUVD-2025-210034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy