Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Unauthenticated network exploitation (PR:N, AV:N) with impact bounded to partial shipping-record manipulation and disruption; no confidentiality breach applies.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in Colissimo Officiel : Méthodes de livraison pour WooCommerce <= 2.9.0 versions.
AnalysisAI
Unauthenticated IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce (versions ≤ 2.9.0) exposes shipping-related backend objects to manipulation by remote, unauthenticated attackers. Missing server-side authorization on object lookups allows adversaries to reference records belonging to other users, producing low integrity and availability impacts on WooCommerce shipping data with no confidentiality breach. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required (CVSS PR:N) and no user interaction is needed (CVSS UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) accurately characterizes the attack surface: low-complexity, network-accessible, unauthenticated exploitation requiring no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a French WooCommerce store running the Colissimo plugin and submits HTTP requests with sequentially incremented or enumerated shipment reference IDs in the plugin's object-lookup endpoint. Without authentication or authorization checks server-side, the plugin returns or processes the referenced record regardless of ownership, allowing the attacker to modify or disrupt shipping records belonging to other customers. … |
| Remediation | Update the Colissimo Officiel WooCommerce plugin to a version above 2.9.0 as soon as a patched release is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40112
GHSA-rxh5-g3fx-mmx7