CVE-2026-39672

Vulnerability

Description The ShipTime: Discounted Shipping Rates plugin for WordPress (versions up to and including 1.1.1) suffers from a missing authorization vulnerability. Specifically, the plugin fails to properly verify access control security levels, allowing actions intended for higher-privileged users to be executed by unauthorized parties. This is a classic case of broken access control, where the function lacks required permission checks or nonce tokens [1].

Attack

Vector and Requirements An attacker can exploit this vulnerability without needing any special privileges; simply sending a crafted HTTP request to the affected plugin's endpoint may suffice. Because the plugin does not enforce proper authorization, even low-privileged or unauthenticated users can trigger functions reserved for administrators or other high-level roles. This makes the vulnerability particularly dangerous as it can be automated for mass exploitation campaigns [1].

Impact

Successful exploitation allows an attacker to perform actions that should require higher privileges, such as modifying shipping rate configurations, accessing sensitive data, or potentially escalating their account privileges. The CVSS v3 base score is 5.3 (Medium), reflecting the moderate but real risk of unauthorized access to restricted functionality [1].

Mitigation

The vulnerability is patched in version 1.1.2 and later. Users are strongly advised to update the plugin immediately. If updating is not possible, consider disabling the plugin or implementing web application firewall rules to block malicious requests until a proper fix can be applied [1].