Shipmondo – A complete shipping solution for WooCommerce < 5.0.4 – Missing Authorization to Authenticated (Customer+) Information Disclosure | CVE 2025-27001 | Plugin Vulnerabilities

Description

The Shipmondo – A complete shipping solution for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getPriceRanges() function in all versions up to, and including, 5.0.3. This makes it possible for authenticated attackers, with customer-level access and above, to export arbitrary WordPress options.

Affects Plugins

pakkelabels-for-woocommerce

Fixed in 5.0.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f730cec-c086-441f-bebb-643aceb1e668

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Psai

Verified

No

WPVDB ID

892d8820-933f-44ba-aeb0-49a8a8682184

Timeline

Publicly Published

2025-03-28 (about 1 year ago)

Added

2025-04-03 (about 1 year ago)

Last Updated

2025-04-03 (about 1 year ago)

Other

Published

Title

Published

2025-12-24

Title

Car Rental Manager < 1.2.0 - Missing Authorization

Published

2025-04-07

Title

Motors – Car Dealership & Classified Listings Plugin < 1.4.65 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Published

2026-01-26

Title

hCaptcha for WP < 4.23.0 - Missing Authorization

Published

2024-05-03

Title

ShopLentor (formerly WooLentor) < 2.8.8 - Missing Authorization

Published

2025-12-22

Title

Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.12.1 - Missing Authorization