{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25456", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.792Z", "datePublished": "2026-03-25T16:14:50.530Z", "dateUpdated": "2026-03-25T16:14:50.530Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "a2z-fedex-shipping", "product": "Automated FedEx live/manual rates with shipping labels", "vendor": "Aarsiv Groups", "versions": [{"lessThanOrEqual": "<= 5.1.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:29.493Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.8.</p>"}], "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:50.530Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/a2z-fedex-shipping/vulnerability/wordpress-automated-fedex-live-manual-rates-with-shipping-labels-plugin-5-1-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Automated FedEx live/manual rates with shipping labels plugin <= 5.1.8 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.8."}], "id": "CVE-2026-25456", "lastModified": "2026-03-25T17:16:51.747", "metrics": {}, "published": "2026-03-25T17:16:51.747", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/a2z-fedex-shipping/vulnerability/wordpress-automated-fedex-live-manual-rates-with-shipping-labels-plugin-5-1-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Automated FedEx live/manual rates with shipping labels", "source": "cna", "vendor": "Aarsiv Groups"}, "product": "automated_fedex_live/manual_rates_with_shipping_labels", "vendor": "aarsiv_groups"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:29:29.426357+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to the newest available release if a fix has been issued.", "If an upgrade is not yet available, limit the plugin\u2019s functionality to administrator accounts by adjusting WordPress role permissions or by disabling the plugin\u2019s endpoints on non\u2011admin pages.", "Continuously monitor site logs for unusual activity such as unexpected label generation or rate changes, and audit shipping records for discrepancies."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access to Shipping Information"}, "threat_synthesis": {"affected_systems": "WordPress websites that use the Automated FedEx live/manual rates with shipping labels plugin from Aarsiv Groups, specifically versions up to and including 5.1.8. No further version refinements are documented.", "description_and_impact": "Aarsiv Groups\u2019 Automated FedEx live/manual rates with shipping labels plugin for WordPress contains a missing authorization flaw that allows users to retrieve, modify, and generate shipping rates and labels without the proper permission checks. This defect can lead to unauthorized disclosure of shipping cost data, manipulation of rates to increase shipping expenses, and the creation of labels for unintended packages. The consequences include financial loss, loss of customer trust, and potential regulatory impact from misreporting shipping information.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS information is unavailable, rendering a precise risk quantification difficult. Because the flaw is a broken access control, the most likely attack scenario involves an authenticated user who can craft HTTP requests to plugin endpoints to access or alter rate data. Inference suggests that unauthenticated attacks are unlikely unless an endpoint is publicly accessible. The lack of a KEV listing implies that active exploitation is not yet confirmed, but the potential for financial damage warrants priority treatment."}}}}, "created": "2026-03-25T21:44:23.338210+00:00", "updated": "2026-03-26T11:38:18.776945+00:00", "vendors": ["aarsiv_groups", "aarsiv_groups$PRODUCT$automated_fedex_live/manual_rates_with_shipping_labels", "wordpress", "wordpress$PRODUCT$wordpress"]}