{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25401", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-03-25T16:14:48.355Z", "dateUpdated": "2026-03-25T16:14:48.355Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpcargo", "product": "WPCargo Track & Trace", "vendor": "Arni Cinco", "versions": [{"lessThanOrEqual": "<= 8.0.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:27.401Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.</p>"}], "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.355Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-8-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPCargo Track & Trace plugin <= 8.0.2 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2."}], "id": "CVE-2026-25401", "lastModified": "2026-03-25T17:16:49.637", "metrics": {}, "published": "2026-03-25T17:16:49.637", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-8-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:54:40.762138+00:00", "value": {"mitigation_remediation": ["Verify the installed WPCargo Track & Trace plugin version.", "Upgrade to the latest release \u2013 a version greater than 8.0.2 \u2013 as soon as it becomes available.", "If upgrading is delayed, remove the plugin completely or block its URLs to a restricted user role.", "Consider disabling the shipping tracking feature until a safe version is installed.", "Monitor the plugin vendor\u2019s security advisories for any remedial releases."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access and Potential Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the WPCargo Track & Trace plugin developed by Arni Cinco. All releases through version 8.0.2 of the plugin are vulnerable. WordPress sites using any of these plugin versions are at risk.", "description_and_impact": "Missing authorization checks in the WPCargo Track & Trace plugin allow an attacker who can send specially crafted requests to bypass authentication and gain unauthorized access to protected resources. The vulnerability is a classic broken access control flaw, enabling non\u2011privileged users to view or manipulate sensitive shipment data, potentially compromising confidentiality and integrity of logistics information.", "risk_and_exploitability": "Severity metrics such as CVSS and EPSS are not publicly available, but the common weakness ID indicates significant risk. The likely attack vector is web\u2011based, where an unauthenticated or low\u2011privilege user can craft requests to plugin endpoints. No official KEV listing suggests the vulnerability has not yet entered widespread exploitation, but the absence of mitigation guidance means organizations should treat the risk as high until a patch is applied."}}}}, "created": "2026-03-25T21:44:35.590647+00:00", "updated": "2026-03-25T21:44:35.590671+00:00", "vendors": []}