CVE-2026-25401
Missing Authorization in WPCargo Track & Trace Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arni_cinco | wpcargo_track_and_trace | to 8.0.2 (inc) |
| patchstack | wpcargo | From n/a|end_including=8.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25401 is a Missing Authorization vulnerability in the WordPress WPCargo Track & Trace Plugin versions up to and including 8.0.2. It is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain plugin functions.
This flaw allows unauthenticated users to perform actions that normally require higher privileges, making it highly dangerous and prone to exploitation in mass-attack campaigns targeting many websites.
How can this vulnerability impact me? :
This vulnerability can allow attackers without authentication to execute privileged actions within the WPCargo Track & Trace plugin, potentially compromising the security and integrity of your website.
Such exploitation can lead to unauthorized data access, manipulation, or disruption of services, affecting website functionality and user trust.
Because it is a high priority issue with a CVSS score of 7.5, it poses a significant risk and is often targeted in widespread attack campaigns.
What immediate steps should I take to mitigate this vulnerability?
This vulnerability is a high priority Broken Access Control issue affecting the WordPress WPCargo Track & Trace Plugin up to version 8.0.2.
No official patch is currently available for this vulnerability.
Patchstack has issued a mitigation rule that blocks attacks exploiting this flaw until an official patch is released.
- Apply the Patchstack mitigation rule to block exploitation attempts.
- Monitor for updates and immediately update the affected plugin once an official patch is released.
- Seek assistance from your hosting provider or web developer to implement mitigation measures.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-25401 vulnerability is a high priority Broken Access Control issue that allows unauthenticated users to perform actions requiring higher privileges due to missing authorization checks.
Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or health-related information.
However, the provided information does not explicitly detail the direct effects on compliance with these regulations.