WordPress Plugin Vulnerabilities

WPCargo Track & Trace <= 8.0.2 - Contributor+ Insecure Direct Object Reference

Description

The plugin is vulnerable to Insecure Direct Object Reference due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
wpcargo
No known fix

References

CVE
CVE-2025-31609
URL
https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-insecure-direct-object-references-idor-vulnerability

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
2.7 (low)

Miscellaneous

Original Researcher
hunter85
Verified
No
WPVDB ID
594ae221-06b6-4bc2-b5b6-0f9bac880f7b

Timeline

Publicly Published
2025-03-31 (about 1 year ago)
Added
2025-04-10 (about 1 year ago)
Last Updated
2025-07-24 (about 10 months ago)

Other

Published
Title
Published
2025-11-24
Title
Admin and Customer Messages After Order for WooCommerce: OrderConvo < 15 - Missing Authorization to Unauthenticated Information Disclosure
Published
2026-05-29
Title
Accept Stripe Payments < 2.0.99 - Unauthenticated Payment Bypass
Published
2026-02-13
Title
SureForms < 2.2.2 - Unauthenticated Stripe Payment Amount Manipulation
Published
2025-12-29
Title
Struktur <= 2.5.1 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-08-20
Title
Zephyr Project Manager < 3.3.103 - Missing Authorization to Authenticated (Subscriber+) Status Updates