CVE-2026-25456
Received Received - Intake
Missing Authorization in Aarsiv FedEx Shipping Plugin Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25456
EUVD
EUVD-2026-15736
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aarsiv_groups automated_fedex_live_manual_rates_with_shipping_labels to 5.1.8 (inc)
aarsiv_groups a2z-fedex-shipping From 5.1.8|end_including=5.1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Missing Authorization issue in the Aarsiv Groups Automated FedEx live/manual rates with shipping labels plugin. It allows attackers to exploit incorrectly configured access control security levels, meaning that unauthorized users may gain access to functions or data they should not be able to access.

Impact Analysis

The impact of this vulnerability could include unauthorized access to shipping rate information or the ability to manipulate shipping labels, potentially leading to misuse of shipping services or exposure of sensitive shipping data.

Compliance Impact

CVE-2026-25456 is a Broken Access Control vulnerability that allows unauthenticated users to perform actions reserved for higher-privileged users due to missing authorization checks.

Such unauthorized access can lead to exposure or manipulation of sensitive data, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.

Therefore, organizations using the affected plugin versions may face increased risk of violating these standards if the vulnerability is exploited, potentially leading to legal and regulatory consequences.

Detection Guidance

This vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, allowing unauthenticated users to perform privileged actions.

Detection would involve monitoring for unauthorized access attempts or exploitation attempts targeting the WordPress plugin "Automated FedEx live/manual rates with shipping labels" versions up to 5.1.8.

Since no official patch is available, Patchstack has issued mitigation rules that block exploitation attempts, which can also be used to detect such attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation involves updating the plugin if a patched version becomes available.

If updating is not possible, apply Patchstack’s mitigation measures which block exploitation attempts until an official patch is released.

Website owners unable to update should seek assistance from their hosting providers or web developers.

Patchstack also offers automated vulnerability mitigation and continuous security monitoring to protect affected sites.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart