{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25401", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-03-25T16:14:48.355Z", "dateUpdated": "2026-04-28T16:14:57.849Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpcargo", "product": "WPCargo Track & Trace", "vendor": "Arni Cinco", "versions": [{"lessThanOrEqual": "8.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:24.480Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.</p>"}], "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.849Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-8-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPCargo Track & Trace plugin <= 8.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:37:11.317445Z", "id": "CVE-2026-25401", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:40:24.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:37:11.317445Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:36:10.598Z"}}], "cna": {"title": "WordPress WPCargo Track & Trace plugin <= 8.0.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Arni Cinco", "product": "WPCargo Track & Trace", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "8.0.2"}], "packageName": "wpcargo", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:24.480Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-8-0-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.599Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25401", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:40:24.315Z", "dateReserved": "2026-02-02T12:53:12.987Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:48.355Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Arni Cinco WPCargo Track &amp; Trace wpcargo permite la explotaci\u00f3n de niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a WPCargo Track &amp; Trace: desde n/a hasta &lt;= 8.0.2."}], "id": "CVE-2026-25401", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:49.637", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-8-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WPCargo Track & Trace", "source": "cna", "vendor": "Arni Cinco"}, "product": "wpcargo_track_&_trace", "vendor": "arni_cinco"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-27T16:51:48.378185+00:00", "value": {"mitigation_remediation": ["Update WPCargo Track & Trace to version 8.0.3 or later.", "If an upgrade is not immediately possible, disable the plugin or restrict its usage to trusted administrative accounts only.", "Review the plugin\u2019s access control configuration and ensure that only authorized roles can view cargo data.", "Monitor the site\u2019s access logs for any anomalous requests targeting the plugin."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to cargo tracking data"}, "threat_synthesis": {"affected_systems": "This issue affects the Arni Cinco WPCargo Track & Trace product, specifically all releases up to and including version 8.0.2. Any WordPress site that has this plugin installed and has not applied the latest update is potentially exposed, regardless of the site\u2019s overall security posture.", "description_and_impact": "The WPCargo Track & Trace plugin for WordPress contains a missing\u2011authorization flaw that allows an attacker to bypass the plugin\u2019s access\u2011control checks. This vulnerability, classified as an Access Control Failure (CWE\u2011862), can enable unauthorized users to view sensitive cargo and tracking information that should be protected. The plugin\u2019s default configuration permits access to this data without proper credential verification, creating a scenario where the confidentiality of cargo records is at risk.", "risk_and_exploitability": "The flaw is scored with a CVSS v3.1 base score of 7.5, indicating high severity. The EPSS score is below 1\u202f%, suggesting that exploitation attempts are expected to be infrequent. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description and the nature of the missing authorization check, the likely attack vector is a remote web request to the plugin\u2019s endpoints; this inference is drawn from the mention of incorrectly configured access control security levels."}}}}, "created": "2026-03-25T21:44:35.590647+00:00", "updated": "2026-03-27T20:26:21.964389+00:00", "vendors": ["arni_cinco", "arni_cinco$PRODUCT$wpcargo_track_&_trace", "wordpress", "wordpress$PRODUCT$wordpress"]}