CVE-2026-39602
Missing Authorization in Rustaurius Order Tracking
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustaurius | order_tracking | to 3.4.3 (inc) |
| patchstack | order_tracking | to 3.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39602 is a Broken Access Control vulnerability in the WordPress Order Tracking Plugin versions up to and including 3.4.3. It occurs due to missing authorization, authentication, or nonce token checks in certain functions. This flaw allows unauthenticated and unprivileged users to perform actions that normally require higher privileges.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform privileged actions within the Order Tracking plugin, potentially leading to unauthorized access or manipulation of order data. However, it has a CVSS severity score of 5.3, indicating a low priority threat with limited impact and is unlikely to be widely exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Broken Access Control issue in the WordPress Order Tracking Plugin up to version 3.4.3, allowing unauthorized users to perform privileged actions.
Detection typically involves checking the version of the Order Tracking plugin installed on your WordPress site to see if it is version 3.4.3 or earlier.
Since this is a web application vulnerability, network detection commands are not explicitly provided in the available resources.
You can check the plugin version via WP-CLI with the command: wp plugin list | grep order-tracking
Additionally, reviewing access logs for unusual unauthenticated requests attempting to access privileged functions of the Order Tracking plugin may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WordPress Order Tracking Plugin to a version later than 3.4.3 once a patch is available.
Since no official patch is currently available, users are advised to seek assistance from their hosting provider or web developer to implement temporary access control measures.
Using security services such as Patchstack's rapid vulnerability mitigation and security intelligence can help protect affected websites in the meantime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-39602 is a Broken Access Control issue in the WordPress Order Tracking Plugin, allowing unauthorized users to perform actions requiring higher privileges.
Such missing authorization vulnerabilities can potentially lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA if personal or protected health information is exposed.
However, the provided information does not explicitly state the direct impact on compliance with these standards.