Skip to main content

a2z-fedex-shipping EUVDEUVD-2026-15736

| CVE-2026-25456 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-56w7-56c6-q9m8
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 28, 2026 - 02:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 16:12 NVD
7.5 (HIGH) 7.3 (HIGH)
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15736
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.8.

AnalysisAI

Unauthenticated access control bypass in Aarsiv Groups' a2z-fedex-shipping WordPress plugin (versions ≤5.1.8) allows remote attackers to exploit incorrectly configured authorization checks, enabling unauthorized viewing, modification, or disruption of FedEx shipping data and label generation. The vulnerability is categorized as automatable with partial technical impact per SSVC framework, though EPSS scoring indicates low observed exploitation probability (0.02%, 4th percentile). Patchstack reported this CWE-862 missing authorization flaw; no active exploitation confirmed via CISA KEV at time of analysis.

Technical ContextAI

This WordPress plugin (CPE: cpe:2.3:a:aarsiv_groups:automated_fedex_live/manual_rates_with_shipping_labels) integrates FedEx shipping rate calculation and label generation into WooCommerce or similar e-commerce platforms. The vulnerability stems from CWE-862 (Missing Authorization), where security checks on sensitive operations are absent or improperly implemented. In WordPress plugin architecture, this typically manifests when AJAX handlers, REST API endpoints, or administrative functions fail to validate user permissions before processing requests. The CVSS vector indicates network-accessible endpoints (AV:N) with no authentication requirements (PR:N) and low attack complexity (AC:L), suggesting that critical shipping operations - potentially including rate queries, label generation, or configuration changes - can be invoked without proper capability checks against WordPress user roles.

RemediationAI

Upgrade to a2z-fedex-shipping plugin version 5.1.9 or later if available, verifying the patched release through WordPress.org repository or vendor communication - note that available data confirms vulnerability through 5.1.8 but does not independently verify a specific patched version number, so consult Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/a2z-fedex-shipping/vulnerability/wordpress-automated-fedex-live-manual-rates-with-shipping-labels-plugin-5-1-8-broken-access-control-vulnerability for confirmed fix version before deployment. If immediate patching is not feasible, implement compensating controls: disable the plugin entirely if FedEx shipping is non-critical to business operations (eliminates attack surface but disrupts shipping workflow); restrict plugin functionality to authenticated administrator sessions only by adding capability checks in theme functions.php or via security plugin rules (reduces exposure but requires custom code maintenance); deploy WordPress application firewall rules to block unauthenticated POST/GET requests to plugin-specific AJAX actions and REST endpoints (effective mitigation but may cause false positives requiring tuning). Monitor WordPress access logs for unexpected requests to /wp-admin/admin-ajax.php or /wp-json/ paths containing 'fedex' or 'a2z' patterns as potential exploitation indicators.

Share

EUVD-2026-15736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy