Skip to main content

Eshipper Commerce EUVDEUVD-2026-20381

| CVE-2026-39689 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-6r9f-mhjv-gfjc
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20381
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.

AnalysisAI

eShipper Commerce plugin versions up to 2.16.12 allow unauthenticated attackers to modify data through missing authorization checks on access control enforcement points. The vulnerability exposes WordPress sites running this e-commerce plugin to unauthorized state changes without requiring authentication, with a low EPSS exploitation probability (0.02% percentile 4%) suggesting limited real-world attack incentive despite the network-accessible attack vector.

Technical ContextAI

eShipper Commerce is a WordPress plugin (CPE: cpe:2.3:a:eshipper:eshipper_commerce) that implements e-commerce functionality. The vulnerability stems from CWE-862 (Missing Authorization), a common WordPress plugin flaw where action handlers or AJAX endpoints fail to validate user capabilities before processing requests. The plugin's access control mechanism incorrectly enforces security levels, allowing any network-adjacent actor to reach protected functionality without proper privilege validation. This typically manifests in WordPress as missing capability checks in add_action() hooks, unprotected REST API endpoints, or AJAX handlers that lack current_user_can() validation.

RemediationAI

Update eShipper Commerce plugin to a version above 2.16.12 immediately; vendor patch version number not specified in available data. Site administrators should visit the WordPress plugin repository or the vendor's release notes to confirm the minimum patched version. As an interim control pending patch verification, restrict WordPress user roles that can access e-commerce administrative functions and audit plugin capabilities through WordPress capability mapping. Consult Patchstack and NVD advisory links for release notes and confirmed patch availability.

Share

EUVD-2026-20381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy