WP-Safety
CVE-2026-25456

Automated FedEx live/manual rates with shipping labels – HPOS supported <= 5.1.8 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Automated FedEx live/manual rates with shipping labels – HPOS supported plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.1.8
PublishedMarch 17, 2026
Last updatedMarch 19, 2026
Affected plugina2z-fedex-shipping
Research Plan
Unverified

# Research Plan: CVE-2026-25456 - Missing Authorization in Automated FedEx Shipping ## 1. Vulnerability Summary The **Automated FedEx live/manual rates with shipping labels – HPOS supported** plugin (<= 5.1.8) contains a missing authorization vulnerability. Specifically, an AJAX handler or a initia…

Show full research plan

Research Plan: CVE-2026-25456 - Missing Authorization in Automated FedEx Shipping

1. Vulnerability Summary

The Automated FedEx live/manual rates with shipping labels – HPOS supported plugin (<= 5.1.8) contains a missing authorization vulnerability. Specifically, an AJAX handler or a initialization hook fails to verify the user's capabilities (e.g., current_user_can('manage_options')) and nonces before executing sensitive actions. Given the CVSS vector (I:L - Integrity: Low), the vulnerability likely allows unauthenticated attackers to modify plugin settings, potentially altering shipping rates, API credentials, or FedEx account configurations.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Vulnerable Action: wp_ajax_nopriv_ registration for a function intended for admin use (inferred). Likely related to settings persistence or rate management.
  • Parameters: A POST request containing an action parameter and various configuration keys.
  • Preconditions: The plugin must be active. No authentication is required for wp_ajax_nopriv_ actions.

3. Code Flow

  1. Entry Point: The attacker sends a POST request to admin-ajax.php.
  2. Hook Registration: The plugin registers a handler via add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... ) in a class constructor or an init hook.
  3. Execution: admin-ajax.php triggers the callback function associated with the action.
  4. Vulnerable Sink: The callback function performs an operation—such as update_option() or update_post_meta()—without calling current_user_can() or verifying a nonce.

4. Nonce Acquisition Strategy

While many "Missing Authorization" vulnerabilities also lack nonce checks, some may still use wp_verify_nonce() but lack capability checks. If a nonce is required:

  1. Identify Script Localization: Search for wp_localize_script in the codebase to find the JavaScript object name (e.g., a2z_fedex_vars or fedex_shipping_params).
  2. Find Script Enqueueing: Identify where the scripts are enqueued (e.g., the FedEx settings page or the WooCommerce checkout/product pages).
  3. Create Landing Page: If the scripts only load on product pages, create a dummy product:
    wp post create --post_type=product --post_title="Test Product" --post_status=publish
  4. Extract Nonce:
    • Navigate to the product page or checkout page.
    • Use browser_eval to extract the nonce:
      browser_eval("window.a2z_fedex_vars?.nonce") (Replace a2z_fedex_vars with the actual identifier found in step 1).

5. Exploitation Strategy

The goal is to modify a plugin setting (e.g., the FedEx Account ID) to demonstrate unauthorized integrity modification.

  1. Discovery:
    • Search for wp_ajax_nopriv in the plugin directory:
      grep -rn "wp_ajax_nopriv" .
    • Focus on actions that involve saving, updating, or deleting (e.g., a2z_fedex_save_settings, a2z_fedex_update_rates).
  2. Payload Construction:
    • Identify the option name used to store settings (e.g., a2z_fedex_settings).
    • Construct a POST request to admin-ajax.php.
  3. HTTP Request (via http_request):
    • Method: POST
    • URL: http://[TARGET]/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=[ACTION_NAME]&[SETTING_KEY]=[MALICIOUS_VALUE]&_ajax_nonce=[NONCE_IF_FOUND]

6. Test Data Setup

  1. Install Plugin: Ensure a2z-fedex-shipping version <= 5.1.8 is installed.
  2. Check Default Settings: Verify existing FedEx settings via CLI:
    wp option get a2z_fedex_settings (or similar inferred option name).
  3. WooCommerce Setup: Since this is a shipping plugin, WooCommerce must be active:
    wp plugin activate woocommerce

7. Expected Results

  • The server returns a 200 OK or a JSON success response (e.g., {"success":true}).
  • The target WordPress option (the plugin settings) is updated with the attacker-controlled value.

8. Verification Steps

  1. Verify Option Change:
    wp option get a2z_fedex_settings
    Check if the value for the modified key matches the payload sent in the exploit.
  2. Admin UI Check: Navigate to the plugin settings page in the WordPress dashboard and verify the settings reflect the change.

9. Alternative Approaches

  • Rate Manipulation: If the vulnerability is in a function that calculates rates, attempt to send a request that forces a $0 shipping rate or a fixed high rate to interfere with the checkout process.
  • REST API Check: If no AJAX actions are found, search for register_rest_route with a permission_callback set to __return_true or missing entirely.
  • Init Hook Hijack: Search for isset($_POST['...']) checks inside admin_init or init hooks that don't check for user privileges.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Automated FedEx live/manual rates with shipping labels plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on AJAX handlers or initialization hooks in versions up to and including 5.1.8. This allows unauthenticated attackers to perform administrative actions such as modifying plugin settings, shipping rates, or FedEx API configurations.

Exploit Outline

1. Identify AJAX actions registered by the plugin using wp_ajax_nopriv_ or wp_ajax_ handlers that perform sensitive operations (e.g., saving settings) without calling current_user_can(). 2. If a nonce is required, locate where the plugin enqueues scripts using wp_localize_script to find the nonce identifier and extract it from the source of public pages like the checkout or product pages. 3. Construct a POST request to /wp-admin/admin-ajax.php including the vulnerable 'action' parameter and malicious configuration data (e.g., modifying the FedEx Account ID or API keys). 4. Execute the request to modify the site's shipping configuration without authentication.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/e9fac267-043b-47c3-b17e-9287fe4b8987?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database