Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.
AnalysisAI
eShipper Commerce plugin versions up to 2.16.12 allow unauthenticated attackers to modify data through missing authorization checks on access control enforcement points. The vulnerability exposes WordPress sites running this e-commerce plugin to unauthorized state changes without requiring authentication, with a low EPSS exploitation probability (0.02% percentile 4%) suggesting limited real-world attack incentive despite the network-accessible attack vector.
Technical ContextAI
eShipper Commerce is a WordPress plugin (CPE: cpe:2.3:a:eshipper:eshipper_commerce) that implements e-commerce functionality. The vulnerability stems from CWE-862 (Missing Authorization), a common WordPress plugin flaw where action handlers or AJAX endpoints fail to validate user capabilities before processing requests. The plugin's access control mechanism incorrectly enforces security levels, allowing any network-adjacent actor to reach protected functionality without proper privilege validation. This typically manifests in WordPress as missing capability checks in add_action() hooks, unprotected REST API endpoints, or AJAX handlers that lack current_user_can() validation.
RemediationAI
Update eShipper Commerce plugin to a version above 2.16.12 immediately; vendor patch version number not specified in available data. Site administrators should visit the WordPress plugin repository or the vendor's release notes to confirm the minimum patched version. As an interim control pending patch verification, restrict WordPress user roles that can access e-commerce administrative functions and audit plugin capabilities through WordPress capability mapping. Consult Patchstack and NVD advisory links for release notes and confirmed patch availability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20381
GHSA-6r9f-mhjv-gfjc