WordPress Plugin Vulnerabilities

WPCargo Track & Trace <= 8.0.2 - Subscriber+ Settings Update

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.

Affects Plugins

Plugin icon
wpcargo
No known fix

References

CVE
CVE-2024-54271
URL
https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-settings-change-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
b433fff9-b501-4fb3-9f04-5e18b64b0a90

Timeline

Publicly Published
2024-12-11 (about 1 year ago)
Added
2024-12-19 (about 1 year ago)
Last Updated
2025-07-24 (about 10 months ago)

Other

Published
Title
Published
2025-09-22
Title
Event Rocket <= 3.3 - Missing Authorization
Published
2024-06-07
Title
CF7 Google Sheets Connector < 5.0.10 - Missing Authorization to Limited Site Configuration Update
Published
2024-12-02
Title
Simple User Registration < 6.0 - Missing Authorization to User Deletion
Published
2025-02-12
Title
LTL Freight Quotes – FreightQuote Edition < 2.3.12 - Missing Authorization
Published
2024-02-23
Title
Addon Library <= 1.3.76 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload