CVE-2025-62976

Vulnerability

The Sendle Shipping plugin for WordPress (versions up to and including 6.02) contains a missing authorization vulnerability. Specifically, the plugin fails to properly validate user permissions or enforce nonce checks for certain functions, allowing access to functionality that should be constrained by access control lists (ACLs). This is a classic broken access control issue [1].

Exploitation

An attacker can exploit this vulnerability without needing any authentication or special privileges. By sending crafted requests to the affected plugin endpoints, they can invoke actions that are intended only for authenticated users with higher-level roles (e.g., administrators). The attack can be performed remotely over HTTP and does not require any prior access to the WordPress site [1].

Impact

Successful exploitation could allow an unprivileged attacker to interact with sensitive plugin functionality, potentially leading to unauthorized modification of shipping settings or other privileged operations. While the vendor rates the severity as low, the vulnerability could be chained into broader attacks, especially given that such issues are often targeted in mass-exploit campaigns [1].

Mitigation

The vulnerability has been fixed in version 6.03 of the plugin. Users are strongly advised to update to this or any later version immediately. For those who cannot update immediately, it is recommended to contact their hosting provider or a web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].