CVE-2026-39689

The eShipper Commerce WordPress plugin versions up to and including 2.16.12 contain a missing authorization vulnerability. This flaw stems from incorrectly configured access control checks, which fail to properly verify user permissions before allowing execution of certain actions [1]. The issue is classified as a broken access control bug, affecting functions that lack necessary authorization, authentication, or nonce token validation [1].

Attackers can exploit this vulnerability remotely without requiring authentication, making it possible to target thousands of websites indiscriminately. The vector is over the network, with low attack complexity and no user interaction needed [1]. This type of flaw is known to be used in mass-exploit campaigns against WordPress sites [1].

The impact is rated as medium severity (CVSS 3.1 5.3), primarily affecting confidentiality and integrity in a limited manner. While no authentication is required, successful exploitation may allow an attacker to perform actions normally reserved for higher-privileged users, potentially leading to unauthorized data access or modification [1].

The vendor has addressed the issue in version 2.16.13. Users are advised to update immediately to this patched release. Those unable to update should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].