Skip to main content

Sendcloud Shipping EUVDEUVD-2026-41324

| CVE-2026-57760 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 audit@patchstack.com GHSA-92qf-5wrq-7gjm
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible WordPress plugin endpoint requires no authentication (PR:N, AV:N, AC:L); impact is strictly limited to minor unauthorized integrity modification with no confidentiality or availability effects.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:39 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Sendcloud Shipping: from n/a through 1.0.29.

AnalysisAI

Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Sendcloud Shipping ≤1.0.29
Exploit
Send unauthenticated HTTP request to unprotected plugin endpoint
Execution
Bypass absent authorization check
Impact
Perform unauthorized modification of plugin-managed data

Vulnerability AssessmentAI

Exploitation The Sendcloud Shipping WordPress plugin must be installed and active on the target WordPress site running version 1.0.29 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N correctly reflects a remotely exploitable, unauthenticated, low-complexity flaw with limited integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker enumerates known Sendcloud Shipping plugin endpoints - such as `admin-ajax.php` actions registered without a nonce or capability check - and submits a crafted HTTP POST request. Because the plugin does not verify authorization before processing the request, the attacker successfully invokes restricted functionality, potentially altering shipping labels, webhook configurations, or plugin settings. …
Remediation Update the Sendcloud Shipping plugin to a version above 1.0.29 via the WordPress plugin repository or admin dashboard. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy