CVE-2025-62995

The MultiParcels Shipping For WooCommerce plugin for WordPress versions up to and including 1.30.12 contains a missing authorization vulnerability. The issue stems from a broken access control mechanism, where the plugin fails to properly verify user permissions or nonce tokens in certain functions, leading to incorrectly configured access control security levels [1].

Exploitation of this vulnerability does not require authentication, as an unprivileged user can trigger higher-privileged actions without proper authorization checks. The attack surface is accessible via the plugin functionality that lacks sufficient access control, potentially allowing attackers to perform unauthorized operations [1].

The impact of successful exploitation is limited to unauthorized access to certain plugin features, but the vulnerability is considered low severity and unlikely to be exploited in mass campaigns. However, it has been noted that similar vulnerabilities are used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation is available by updating to version 1.30.13 or later, which resolves the missing authorization issue. Patchstack users can enable auto-updates for vulnerable plugins. As an immediate action, users should update the plugin or seek assistance from their hosting provider [1].