Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible WordPress plugin endpoint requires no authentication (PR:N, AV:N, AC:L); impact is strictly limited to minor unauthorized integrity modification with no confidentiality or availability effects.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Sendcloud Shipping: from n/a through 1.0.29.
AnalysisAI
Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Sendcloud Shipping WordPress plugin must be installed and active on the target WordPress site running version 1.0.29 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N correctly reflects a remotely exploitable, unauthenticated, low-complexity flaw with limited integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker enumerates known Sendcloud Shipping plugin endpoints - such as `admin-ajax.php` actions registered without a nonce or capability check - and submits a crafted HTTP POST request. Because the plugin does not verify authorization before processing the request, the attacker successfully invokes restricted functionality, potentially altering shipping labels, webhook configurations, or plugin settings. … |
| Remediation | Update the Sendcloud Shipping plugin to a version above 1.0.29 via the WordPress plugin repository or admin dashboard. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41324
GHSA-92qf-5wrq-7gjm