Skip to main content

Myparcel

1 CVEs product

Monthly

CVE-2026-8678 MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy