CVE-2025-68051
Authorization Bypass in Shiprocket via User-Controlled Key
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shiprocket | shiprocket | to 2.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68051 is an Insecure Direct Object References (IDOR) vulnerability found in the WordPress Shiprocket Plugin versions up to and including 2.0.8. This vulnerability allows attackers to bypass authorization and authentication controls by exploiting incorrectly configured access control security levels. Essentially, an attacker with at least subscriber or developer privileges can gain unauthorized access to sensitive files, folders, or database interactions that should normally be restricted.
The vulnerability is classified under OWASP Top 10 A1: Broken Access Control and carries a CVSS severity score of 7.5, indicating a high risk and likelihood of exploitation. No official patch is currently available, but mitigation rules from Patchstack can help block attack attempts until a fix is released.
How can this vulnerability impact me? :
This vulnerability can have serious impacts by allowing unauthorized users to bypass access controls and gain access to sensitive information or functionality within the Shiprocket plugin. This could lead to exposure of confidential data, unauthorized modification of data, or other malicious activities that compromise the security and integrity of your website or application.
Because the vulnerability requires only subscriber or developer privileges to exploit, it increases the risk that even lower-privileged users could escalate their access, potentially leading to data breaches or other security incidents.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability affects WordPress sites using the Shiprocket Plugin versions up to and including 2.0.8. Detection involves monitoring for unauthorized access attempts that exploit broken access control or Insecure Direct Object References (IDOR).
Since no official patch is available, detection can be enhanced by using Patchstackβs automated vulnerability mitigation and continuous security monitoring tools, which can identify and block attack attempts related to this vulnerability.
Specific commands are not provided in the available resources, but network administrators should monitor HTTP requests for suspicious access patterns to sensitive files or database interactions that bypass authorization.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing the mitigation rule provided by Patchstack, which can block attack attempts targeting this vulnerability until an official patch is released.
Users are strongly advised to deploy Patchstackβs tools for automated vulnerability mitigation and continuous security monitoring to protect their WordPress sites.
Additionally, restricting user privileges to the minimum necessary and monitoring for suspicious activity can help reduce the risk of exploitation.