CVE-2025-68051
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in Shiprocket via User-Controlled Key

Publication date: 2026-02-20

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket shiprocket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shiprocket: from n/a through <= 2.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68051
EUVD
EUVD-2025-208076
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shiprocket shiprocket to 2.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68051 is an Insecure Direct Object References (IDOR) vulnerability found in the WordPress Shiprocket Plugin versions up to and including 2.0.8. This vulnerability allows attackers to bypass authorization and authentication controls by exploiting incorrectly configured access control security levels. Essentially, an attacker with at least subscriber or developer privileges can gain unauthorized access to sensitive files, folders, or database interactions that should normally be restricted.

The vulnerability is classified under OWASP Top 10 A1: Broken Access Control and carries a CVSS severity score of 7.5, indicating a high risk and likelihood of exploitation. No official patch is currently available, but mitigation rules from Patchstack can help block attack attempts until a fix is released.

Impact Analysis

This vulnerability can have serious impacts by allowing unauthorized users to bypass access controls and gain access to sensitive information or functionality within the Shiprocket plugin. This could lead to exposure of confidential data, unauthorized modification of data, or other malicious activities that compromise the security and integrity of your website or application.

Because the vulnerability requires only subscriber or developer privileges to exploit, it increases the risk that even lower-privileged users could escalate their access, potentially leading to data breaches or other security incidents.

Compliance Impact

I don't know

Detection Guidance

The vulnerability affects WordPress sites using the Shiprocket Plugin versions up to and including 2.0.8. Detection involves monitoring for unauthorized access attempts that exploit broken access control or Insecure Direct Object References (IDOR).

Since no official patch is available, detection can be enhanced by using Patchstack’s automated vulnerability mitigation and continuous security monitoring tools, which can identify and block attack attempts related to this vulnerability.

Specific commands are not provided in the available resources, but network administrators should monitor HTTP requests for suspicious access patterns to sensitive files or database interactions that bypass authorization.

Mitigation Strategies

Immediate mitigation steps include implementing the mitigation rule provided by Patchstack, which can block attack attempts targeting this vulnerability until an official patch is released.

Users are strongly advised to deploy Patchstack’s tools for automated vulnerability mitigation and continuous security monitoring to protect their WordPress sites.

Additionally, restricting user privileges to the minimum necessary and monitoring for suspicious activity can help reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68051. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart