WordPress Plugin Vulnerabilities

AfterShip Tracking < 1.17.18 - Missing Authorization

Description

The AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.17.17. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
aftership-woocommerce-tracking
Fixed in 1.17.18

References

CVE
CVE-2025-58201
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5c394739-14c9-4e62-985b-3791f48dca65

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
ch4r0n
Verified
No
WPVDB ID
ec142531-6965-4af7-9bb3-1447deaec8a4

Timeline

Publicly Published
2025-08-27 (about 8 months ago)
Added
2025-09-03 (about 8 months ago)
Last Updated
2025-09-03 (about 8 months ago)

Other

Published
Title
Published
2025-01-14
Title
Setup Default Featured Image < 1.3 - Missing Authorization
Published
2024-07-09
Title
Woocommerce OpenPos < 7.0.2 - Unauthenticated Sensitive Information Disclosure
Published
2024-06-21
Title
Sparkle Demo Importer < 1.4.8 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import
Published
2026-01-20
Title
The Events Calendar < 6.15.13.1 - Subscriber+ Data Migration Control
Published
2025-12-31
Title
RestroPress < 3.2.8 - Missing Authorization