Skip to main content

Wpcargo Track Trace EUVDEUVD-2026-15715

| CVE-2026-25401 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15715
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.

AnalysisAI

A missing authorization vulnerability exists in Arni Cinco WPCargo Track & Trace WordPress plugin through version 8.0.2, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit sensitive functionality. This broken access control flaw (CWE-862) affects all installations of the plugin up to and including version 8.0.2, enabling unauthenticated or low-privileged attackers to access resources or perform actions they should not be permitted to execute. The vulnerability was reported by Patchstack and has been tracked under ENISA EUVD ID EUVD-2026-15715.

Technical ContextAI

The vulnerability is rooted in CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to properly validate user permissions before granting access to sensitive operations or data. In the context of WPCargo Track & Trace (identified via CPE cpe:2.3:a:arni_cinco:wpcargo_track_&_trace:*:*:*:*:*:*:*:*), this plugin—which provides shipment tracking and tracing functionality for WordPress e-commerce environments—does not implement adequate authorization checks on its API endpoints, administrative functions, or database queries. The plugin likely uses WordPress's standard authentication mechanisms (wp_verify_nonce, user role checks) but fails to enforce them consistently across all entry points, particularly in areas handling sensitive shipment data, customer information, or administrative configuration settings.

RemediationAI

Upgrade the WPCargo Track & Trace plugin to a version later than 8.0.2 immediately upon availability of a patched release from Arni Cinco (consult the vendor security advisory via Patchstack for the specific patch version). Until a patch is available, implement compensating controls by disabling the plugin if it is not critical to operations, or restrict access to WPCargo-related pages and API endpoints via WordPress user role restrictions and network-level IP whitelisting to trusted administrator and fulfillment staff only. Additionally, review WordPress access logs and database query logs for suspicious access patterns to tracking and shipment data, and consider implementing a Web Application Firewall (WAF) rule to block unauthorized requests to known WPCargo administrative endpoints. Monitor the Patchstack advisory regularly for patch availability.

Share

EUVD-2026-15715 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy