Description
The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view and modify shipment options — including carrier, delivery type, package type, number of labels, weight, signature requirement, and insurance — on any arbitrary order.
Problem types
Product status
Any version
Timeline
| 2026-07-10: | Disclosed |
Credits
nudien udin
nudien
References
www.wordfence.com/...-b28a-4fc6-9538-944ffeb32796?source=cve
plugins.trac.wordpress.org/...s/admin/class-wcmypa-admin.php
plugins.trac.wordpress.org/...s/admin/class-wcmypa-admin.php
plugins.trac.wordpress.org/...s/admin/class-wcmypa-admin.php
plugins.trac.wordpress.org/...s/admin/class-wcmypa-admin.php
plugins.trac.wordpress.org/...s/admin/class-wcmypa-admin.php
plugins.trac.wordpress.org/...s/admin/class-wcmypa-admin.php
plugins.trac.wordpress.org/...3585914%40woocommerce-myparcel