Skip to main content

Colissimo Shipping Methods For Woocommerce

1 CVEs product

Monthly

CVE-2026-9240 MEDIUM This Month

Unauthorized order modification in the Colissimo Officiel shipping plugin for WordPress (versions up to and including 2.9.0) allows any authenticated subscriber-level user to overwrite the shipping method, pickup-relay metadata, and shipping address of arbitrary WooCommerce orders - including orders belonging to other customers. The vulnerability stems from a completely unguarded AJAX handler: no capability check and no nonce verification are performed before acting on caller-supplied input. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog, though Wordfence has confirmed and disclosed it with specific source-line references.

Authentication Bypass WordPress Colissimo Shipping Methods For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized order modification in the Colissimo Officiel shipping plugin for WordPress (versions up to and including 2.9.0) allows any authenticated subscriber-level user to overwrite the shipping method, pickup-relay metadata, and shipping address of arbitrary WooCommerce orders - including orders belonging to other customers. The vulnerability stems from a completely unguarded AJAX handler: no capability check and no nonce verification are performed before acting on caller-supplied input. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog, though Wordfence has confirmed and disclosed it with specific source-line references.

Authentication Bypass WordPress Colissimo Shipping Methods For Woocommerce
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy