CVE-2025-31609

Vulnerability

Overview CVE-2025-31609 is a Missing Authorization vulnerability in the WPCargo Track & Trace plugin for WordPress, affecting versions from n/a through 8.0.2. The root cause is an Insecure Direct Object Reference (IDOR) flaw, where the plugin fails to properly verify user permissions when accessing certain resources. This allows exploiting incorrectly configured access control security levels [1].

Exploitation

Attackers can exploit this vulnerability without requiring authentication or elevated privileges, as the access controls are misconfigured. By sending crafted requests that reference internal objects (e.g., shipment IDs or tracking data), an attacker may bypass authorization checks. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

Successful exploitation could lead to unauthorized access to sensitive data or functions, such as viewing or modifying tracking records, orders, or other protected information. The CVSS v3 base score is 4.3 (Medium), reflecting the potential for information disclosure or limited manipulation without full system compromise [1].

Mitigation

Users are strongly advised to update the WPCargo Track & Trace plugin to the latest available version. If immediate updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. The vulnerability is patched in versions after 8.0.2 [1].