CVE-2026-39602
Received Received - Intake
Missing Authorization in Rustaurius Order Tracking

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39602
EUVD
EUVD-2026-20232
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rustaurius order_tracking to 3.4.3 (inc)
patchstack order_tracking to 3.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39602 is a Broken Access Control vulnerability in the WordPress Order Tracking Plugin versions up to and including 3.4.3. It occurs due to missing authorization, authentication, or nonce token checks in certain functions. This flaw allows unauthenticated and unprivileged users to perform actions that normally require higher privileges.

Impact Analysis

This vulnerability can allow unauthorized users to perform privileged actions within the Order Tracking plugin, potentially leading to unauthorized access or manipulation of order data. However, it has a CVSS severity score of 5.3, indicating a low priority threat with limited impact and is unlikely to be widely exploited.

Detection Guidance

This vulnerability is a Broken Access Control issue in the WordPress Order Tracking Plugin up to version 3.4.3, allowing unauthorized users to perform privileged actions.

Detection typically involves checking the version of the Order Tracking plugin installed on your WordPress site to see if it is version 3.4.3 or earlier.

Since this is a web application vulnerability, network detection commands are not explicitly provided in the available resources.

You can check the plugin version via WP-CLI with the command: wp plugin list | grep order-tracking

Additionally, reviewing access logs for unusual unauthenticated requests attempting to access privileged functions of the Order Tracking plugin may help identify exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update the WordPress Order Tracking Plugin to a version later than 3.4.3 once a patch is available.

Since no official patch is currently available, users are advised to seek assistance from their hosting provider or web developer to implement temporary access control measures.

Using security services such as Patchstack's rapid vulnerability mitigation and security intelligence can help protect affected websites in the meantime.

Compliance Impact

The vulnerability CVE-2026-39602 is a Broken Access Control issue in the WordPress Order Tracking Plugin, allowing unauthorized users to perform actions requiring higher privileges.

Such missing authorization vulnerabilities can potentially lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA if personal or protected health information is exposed.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart