WordPress Plugin Vulnerabilities

Order Delivery Date for WooCommerce < 4.2.0 - Missing Authorization

Description

The Order Delivery Date for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
order-delivery-date-for-woocommerce
Fixed in 4.2.0

References

CVE
CVE-2025-58599
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d4d7a36f-0210-43e8-b95c-f8666bf70aac

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bao
Verified
No
WPVDB ID
8357b94d-a32b-49fc-b624-7158a66f1352

Timeline

Publicly Published
2025-09-03 (about 8 months ago)
Added
2025-09-09 (about 8 months ago)
Last Updated
2025-09-09 (about 8 months ago)

Other

Published
Title
Published
2022-03-29
Title
myCred < 2.4.4 - Subscriber+ Arbitrary Post Creation
Published
2025-09-22
Title
Trustpilot Reviews < 3.6.0 - Missing Authorization
Published
2025-04-11
Title
Bulk <= 1.0.11 - Missing Authorization
Published
2026-03-17
Title
Education Zone < 1.3.9 - Missing Authorization
Published
2025-02-11
Title
WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon < 1.6.1 - Missing Authorization to Authenticated (Subscriber+) Settings Reset