CVE-2026-25401
Received Received - Intake
Missing Authorization in WPCargo Track & Trace Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25401
EUVD
EUVD-2026-15715
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arni_cinco wpcargo_track_and_trace to 8.0.2 (inc)
patchstack wpcargo From n/a|end_including=8.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25401 is a Missing Authorization vulnerability in the WordPress WPCargo Track & Trace Plugin versions up to and including 8.0.2. It is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain plugin functions.

This flaw allows unauthenticated users to perform actions that normally require higher privileges, making it highly dangerous and prone to exploitation in mass-attack campaigns targeting many websites.

Impact Analysis

This vulnerability can allow attackers without authentication to execute privileged actions within the WPCargo Track & Trace plugin, potentially compromising the security and integrity of your website.

Such exploitation can lead to unauthorized data access, manipulation, or disruption of services, affecting website functionality and user trust.

Because it is a high priority issue with a CVSS score of 7.5, it poses a significant risk and is often targeted in widespread attack campaigns.

Mitigation Strategies

This vulnerability is a high priority Broken Access Control issue affecting the WordPress WPCargo Track & Trace Plugin up to version 8.0.2.

No official patch is currently available for this vulnerability.

Patchstack has issued a mitigation rule that blocks attacks exploiting this flaw until an official patch is released.

  • Apply the Patchstack mitigation rule to block exploitation attempts.
  • Monitor for updates and immediately update the affected plugin once an official patch is released.
  • Seek assistance from your hosting provider or web developer to implement mitigation measures.
Compliance Impact

The CVE-2026-25401 vulnerability is a high priority Broken Access Control issue that allows unauthenticated users to perform actions requiring higher privileges due to missing authorization checks.

Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or health-related information.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart