Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-accessible AJAX endpoint (AV:N), no special conditions (AC:L), subscriber authentication required (PR:L), integrity-only impact on order metadata (I:L), no confidentiality or availability breach.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod() function (registered to the wp_ajax_lpc_order_affect AJAX action) in versions up to, and including, 2.9.0. This is due to the handler performing no current_user_can() capability check and no nonce verification before reading an attacker-supplied order_id and modifying that order's shipping method, pickup-point meta, and shipping address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or modify the shipment information (shipping method, pickup relay data, and shipping address) of arbitrary WooCommerce orders, including orders placed by other users.
AnalysisAI
Unauthorized order modification in the Colissimo Officiel shipping plugin for WordPress (versions up to and including 2.9.0) allows any authenticated subscriber-level user to overwrite the shipping method, pickup-relay metadata, and shipping address of arbitrary WooCommerce orders - including orders belonging to other customers. The vulnerability stems from a completely unguarded AJAX handler: no capability check and no nonce verification are performed before acting on caller-supplied input. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | A WordPress account of Subscriber role or higher is required - completely unauthenticated exploitation is not possible given the handler is registered under wp_ajax_ (not wp_ajax_nopriv_), meaning WordPress's own authentication layer must be satisfied first. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) is consistent with the described impact: no confidentiality or availability breach, only integrity corruption of order shipping metadata, requiring at minimum a subscriber-level WordPress account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered a free customer (Subscriber) account on a WooCommerce store running the affected plugin submits a crafted HTTP POST request directly to /wp-admin/admin-ajax.php with action=lpc_order_affect and an arbitrary order_id value. Because the handler performs no capability check or nonce verification, WordPress processes the request and overwrites the target order's shipping address and pickup-point metadata with attacker-supplied values, potentially redirecting a victim's physical parcel to the attacker's chosen location. … |
| Remediation | The upstream fix is available as changeset 3553367 in the WordPress plugin SVN repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3553367%40colissimo-shipping-methods-for-woocommerce&new=3553367%40colissimo-shipping-methods-for-woocommerce); however, a tagged patched release version has not been independently confirmed from the available input data - site operators should check the WordPress plugin directory for a version newer than 2.9.0 and update immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42558
GHSA-5f86-c5fx-8mw6