{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39689", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:44.317Z", "dateUpdated": "2026-04-08T08:30:44.317Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "eshipper-commerce", "product": "eShipper Commerce", "vendor": "eshipper", "versions": [{"lessThanOrEqual": "2.16.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.743Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects eShipper Commerce: from n/a through <= 2.16.12.</p>"}], "value": "Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:44.317Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/eshipper-commerce/vulnerability/wordpress-eshipper-commerce-plugin-2-16-12-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress eShipper Commerce plugin <= 2.16.12 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12."}], "id": "CVE-2026-39689", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:40.937", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/eshipper-commerce/vulnerability/wordpress-eshipper-commerce-plugin-2-16-12-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.16.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "eShipper Commerce", "source": "cna", "vendor": "eshipper"}, "product": "eshipper_commerce", "vendor": "eshipper"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:30:36.808360+00:00", "value": {"mitigation_remediation": ["Upgrade eShipper Commerce to a version newer than 2.16.12 as released by the vendor."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Missing Authorization"}, "threat_synthesis": {"affected_systems": "The affected product is eShipper Commerce, supplied by eshipper. All releases through version 2.16.12 are vulnerable. Newer releases beyond 2.16.12 are not impacted.", "description_and_impact": "This vulnerability is an instance of Missing Authorization, categorized as CWE-862. The flaw allows unauthenticated or incorrectly authenticated users to bypass intended security checks and access functions or data that should be restricted. The primary consequence is unauthorized privilege escalation, enabling attackers to perform actions reserved for legitimate administrators or users, potentially compromising data integrity and confidentiality.", "risk_and_exploitability": "No CVSS score is provided, and EPSS data is unavailable, so formal metrics are missing. The vulnerability is not listed in CISA\u2019s KEV catalog. Although specific exploitation steps are not detailed, the nature of the flaw suggests that a web-based request to restricted plugin endpoints could be leveraged. Given the absence of mitigation in current releases and the potentially high impact of the flaw, the risk is considered significant and warrants immediate remedial action."}}}}, "created": "2026-04-08T19:27:45.357704+00:00", "updated": "2026-04-08T19:40:31.279040+00:00", "vendors": ["eshipper", "eshipper$PRODUCT$eshipper_commerce", "wordpress", "wordpress$PRODUCT$wordpress"]}