CVE-2026-8678
MyParcel <= 4.25.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Shipment Data Disclosure and Modification via wcmp_get_shipment_options and wcmp_save_shipment_options AJAX Actions
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
11 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view and modify shipment options — including carrier, delivery type, package type, number of labels, weight, signature requirement, and insurance — on any arbitrary order.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products
richardperdaan · MyParcelReferences
https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.24.3/includes/admin/class-wcmypa-admin.php#L118https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.24.3/includes/admin/class-wcmypa-admin.php#L653https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.24.3/includes/admin/class-wcmypa-admin.php#L872https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.25.1/includes/admin/class-wcmypa-admin.php#L118https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.25.1/includes/admin/class-wcmypa-admin.php#L653https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.25.1/includes/admin/class-wcmypa-admin.php#L872https://plugins.trac.wordpress.org/changeset?reponame=&old=3585914%40woocommerce-myparcel&new=3585914%40woocommerce-myparcelhttps://www.wordfence.com/threat-intel/vulnerabilities/id/1a7bdae1-b28a-4fc6-9538-944ffeb32796?source=cve