CVE-2025-31866

Vulnerability

The ShipDepot for WooCommerce plugin (ship-depot) for WordPress, up to and including version 1.2.19, contains a missing authorization vulnerability [1]. This issue allows exploitation of incorrectly configured access control security levels, meaning that unauthorized users may be able to access restricted functionality without proper permission checks.

Exploitation

An attacker with no authentication or low privileges can exploit this vulnerability by sending crafted requests to the plugin's endpoints that lack proper capability checks [1]. No special network position or user interaction is required; the attack vector is over HTTP. The specific steps involve identifying unprotected AJAX actions or admin-ajax endpoints that fail to verify user permissions before processing.

Impact

Successful exploitation results in unauthorized access to sensitive plugin features or data [1]. The attacker may be able to view, modify, or delete configuration settings, see shipping information, or trigger actions intended only for administrators. This leads to information disclosure and potential privilege escalation within the WooCommerce context.

Mitigation

The vendor has not yet released a patched version at the time of publication [1]. As a workaround, site administrators should restrict access to the vulnerable plugin endpoints using a web application firewall (WAF) or custom .htaccess rules, and monitor for any unauthorized activity. The plugin may be removed or disabled if not essential until a fix is provided.