{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25456", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.792Z", "datePublished": "2026-03-25T16:14:50.530Z", "dateUpdated": "2026-04-28T16:14:59.355Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "a2z-fedex-shipping", "product": "Automated FedEx live/manual rates with shipping labels", "vendor": "Aarsiv Groups", "versions": [{"lessThanOrEqual": "5.1.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:20.582Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9.</p>"}], "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.355Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/a2z-fedex-shipping/vulnerability/wordpress-automated-fedex-live-manual-rates-with-shipping-labels-plugin-5-1-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Automated FedEx live/manual rates with shipping labels plugin <= 5.1.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:13:40.671204Z", "id": "CVE-2026-25456", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:43:50.753Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25456", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.792Z", "datePublished": "2026-03-25T16:14:50.530Z", "dateUpdated": "2026-04-28T01:43:50.753Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "a2z-fedex-shipping", "product": "Automated FedEx live/manual rates with shipping labels", "vendor": "Aarsiv Groups", "versions": [{"lessThanOrEqual": "5.1.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:20.582Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9.</p>"}], "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.998Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/a2z-fedex-shipping/vulnerability/wordpress-automated-fedex-live-manual-rates-with-shipping-labels-plugin-5-1-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Automated FedEx live/manual rates with shipping labels plugin <= 5.1.9 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25456", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:13:40.671204Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:13:32.460Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Automated FedEx live/manual rates with shipping labels: desde n/a hasta &lt;= 5.1.8."}], "id": "CVE-2026-25456", "lastModified": "2026-04-28T02:16:07.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:51.747", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/a2z-fedex-shipping/vulnerability/wordpress-automated-fedex-live-manual-rates-with-shipping-labels-plugin-5-1-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Automated FedEx live/manual rates with shipping labels", "source": "cna", "vendor": "Aarsiv Groups"}, "product": "automated_fedex_live/manual_rates_with_shipping_labels", "vendor": "aarsiv_groups"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T16:55:58.132562+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than\u00a05.1.9, which resolves the broken access control.", "If an update is not available, deactivate or uninstall the plugin from the WordPress site.", "If the plugin must remain, restrict its use to administrators by reviewing WordPress role capabilities or adding custom access control measures."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All WordPress installations running Aarsiv Groups Automated FedEx live/manual rates with shipping labels plugin through version\u00a05.1.9 are vulnerable. The issue applies to every release from the first available version up to and including\u00a05.1.9. Sites that have upgraded beyond\u00a05.1.9 or have not installed the plugin are not affected.", "description_and_impact": "A broken access control vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels plugin allows an attacker to invoke plugin functions without the necessary permissions. Classified as CWE\u2011862, this flaw permits unauthorized manipulation of shipping rate calculations and creation of shipping labels, potentially enabling financial loss or fraud by providing shipping services without cost or by altering order fulfillment data, thereby affecting the integrity and confidentiality of business operations.", "risk_and_exploitability": "CVSS base score of\u00a07.3 indicates high severity, while the EPSS score of less than\u00a01% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attack executed over the web; the plugin's endpoints can be accessed without authentication, allowing an attacker to exploit the issue from anywhere with internet connectivity. The absence of authentication and the unrestricted access to the function expose the system to potential unauthorized changes, prompting a need for immediate remediation."}}}}, "created": "2026-03-25T21:44:23.338210+00:00", "updated": "2026-04-28T17:00:13.456858+00:00", "vendors": ["aarsiv_groups", "aarsiv_groups$PRODUCT$automated_fedex_live/manual_rates_with_shipping_labels", "wordpress", "wordpress$PRODUCT$wordpress"]}