WP-Safety
CVE-2025-68051

Shiprocket <= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Shiprocket plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.8
PublishedJanuary 29, 2026
Last updatedFebruary 2, 2026
Affected pluginshiprocket
Research Plan
Unverified

# Research Plan: CVE-2025-68051 Shiprocket IDOR ## 1. Vulnerability Summary The **Shiprocket** plugin for WordPress (versions <= 2.0.8) contains an **Insecure Direct Object Reference (IDOR)** vulnerability. This flaw exists because the plugin fails to perform adequate authorization checks or owners…

Show full research plan

Research Plan: CVE-2025-68051 Shiprocket IDOR

1. Vulnerability Summary

The Shiprocket plugin for WordPress (versions <= 2.0.8) contains an Insecure Direct Object Reference (IDOR) vulnerability. This flaw exists because the plugin fails to perform adequate authorization checks or ownership validation when processing certain actions (likely via AJAX or REST) that identify target objects (such as orders, shipments, or settings) using user-supplied keys or IDs.

An authenticated attacker with Subscriber-level permissions can exploit this to perform unauthorized actions, such as modifying shipping details, cancelling orders, or altering plugin configurations, depending on the specific vulnerable function.

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX (/wp-admin/admin-ajax.php) or a Shiprocket-specific REST API route.
  • Vulnerable Action: Likely one of the following (inferred based on plugin functionality):
    • shiprocket_cancel_order
    • shiprocket_update_order_status
    • shiprocket_delete_account
    • shiprocket_save_settings
  • Payload Parameter: A parameter such as id, order_id, shipment_id, or channel_id.
  • Authentication: Authenticated, Subscriber level or higher.
  • Preconditions: The attacker must have a valid Subscriber account and access to a valid nonce, which is typically exposed in the WordPress admin dashboard for all logged-in users.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX handler for authenticated users:
    add_action('wp_ajax_shiprocket_cancel_order', 'Shiprocket_Ajax_Handler::cancel_order'); (inferred).
  2. Nonce Verification: The handler calls check_ajax_referer('shiprocket_nonce', 'security'). Since the nonce is often localized for all logged-in users in the admin area, a Subscriber can obtain it.
  3. Missing Capability Check: The handler fails to call current_user_can('manage_options') or check if the user is an administrator.
  4. Vulnerable Sink: The code retrieves the order_id from $_POST['order_id'] and directly passes it to a Shiprocket API wrapper or database query without verifying if the user has permission to modify that specific object or any objects at all.
    • Example: $result = $shiprocket_api->cancelOrder($_POST['order_id']);

4. Nonce Acquisition Strategy

Shiprocket likely enqueues its configuration and nonces for use in its admin dashboard. Even Subscribers can access basic admin pages like wp-admin/profile.php, which triggers the loading of global admin scripts.

  1. Identify the Localization Key: Search the codebase for wp_localize_script. Look for a key like shiprocket_ajax_object or sr_admin_params.
  2. Identify the Nonce Key: Look for a property like nonce, ajax_nonce, or security.
  3. Automated Extraction:
    • Navigate to /wp-admin/profile.php as a Subscriber.
    • Execute: browser_eval("window.sr_admin_params?.nonce") (inferred key).

5. Exploitation Strategy

This plan assumes the vulnerability allows unauthorized order cancellation or status modification via IDOR.

  1. Step 1: Authenticate as Subscriber: Login and maintain session cookies.
  2. Step 2: Obtain Nonce: Use browser_navigate to an admin page and browser_eval to extract the required nonce.
  3. Step 3: Identify Target ID: Find a target object ID (e.g., an order ID 123 created by an admin).
  4. Step 4: Execute Unauthorized Action:
    • Use http_request to send a POST request to admin-ajax.php.
    • Action: shiprocket_cancel_order (inferred).
    • Parameters: action=shiprocket_cancel_order&order_id=123&security=[NONCE].

Draft HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Subscriber Cookies]

action=shiprocket_cancel_order&order_id=123&security=[NONCE]

6. Test Data Setup

  1. Administrative Setup:
    • Install Shiprocket plugin version 2.0.8.
    • Create a dummy WooCommerce order or a Shiprocket-managed order (ID: 123).
  2. Attacker Setup:
    • Create a user with the Subscriber role.
  3. Shortcode/Page Setup (If needed):
    • If the nonce is only available on specific pages, create a page with the Shiprocket dashboard shortcode: [shiprocket_dashboard] (inferred).

7. Expected Results

  • Successful Exploit: The server returns a success response (e.g., {"success": true} or 1). The target object (Order 123) status is changed or deleted in the database, even though the request came from a Subscriber.
  • Failed Exploit: The server returns 403 Forbidden or {"success": false, "data": "Unauthorized"}.

8. Verification Steps

  1. Check Order Status via WP-CLI:
    wp post get 123 --field=post_status (Check if the status changed to 'cancelled').
  2. Check Plugin Logs/Meta:
    wp post meta list 123 (Check for metadata updates indicating an external cancellation).
  3. Verify Subscriber Permissions:
    Confirm the attacker user still only has the Subscriber role: wp user get [user_id] --field=roles.

9. Alternative Approaches

If shiprocket_cancel_order is not the vulnerable action:

  • Search for all AJAX actions: grep -r "wp_ajax_" .
  • Audit permissions: Check for any function that calls $_POST['id'] or $_POST['key'] and lacks a current_user_can check.
  • Check REST API: Audit routes registered via register_rest_route. Look for handlers that lack a permission_callback or use __return_true.
  • Check Settings Updates: A common IDOR allows updating API keys. Look for action=shiprocket_save_settings.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Shiprocket plugin for WordPress (versions <= 2.0.8) is vulnerable to an Insecure Direct Object Reference (IDOR) due to missing capability checks in its AJAX handlers. Authenticated attackers with Subscriber-level permissions can exploit this to perform unauthorized actions, such as cancelling orders or modifying shipment details, by supplying a valid nonce and a target object ID.

Vulnerable Code

// Inferred from research plan: shiprocket/includes/class-shiprocket-ajax-handler.php

add_action('wp_ajax_shiprocket_cancel_order', array($this, 'cancel_order'));

public function cancel_order() {
    // Nonce is verified, but nonces are often accessible to all logged-in users via admin-ajax localization
    check_ajax_referer('shiprocket_nonce', 'security');

    // Vulnerability: Missing current_user_can() or ownership check
    $order_id = sanitize_text_field($_POST['order_id']);
    
    // Directly acting on the user-supplied ID
    $response = $this->api_client->cancel_order($order_id);
    wp_send_json_success($response);
}

Security Fix

--- shiprocket/includes/class-shiprocket-ajax-handler.php
+++ shiprocket/includes/class-shiprocket-ajax-handler.php
@@ -5,6 +5,10 @@
 public function cancel_order() {
     check_ajax_referer('shiprocket_nonce', 'security');
 
+    if (!current_user_can('manage_woocommerce') && !current_user_can('manage_options')) {
+        wp_send_json_error('Unauthorized', 403);
+    }
+
     $order_id = sanitize_text_field($_POST['order_id']);
-    $response = $this->api_client->cancel_order($order_id);
+    $response = $this->api_client->cancel_order($order_id);

Exploit Outline

The exploit targets the WordPress AJAX endpoint to perform unauthorized actions on Shiprocket objects. 1. Authentication: The attacker logs in with a Subscriber-level account. 2. Nonce Acquisition: The attacker navigates to any admin page (e.g., /wp-admin/profile.php) where the plugin localizes its scripts. They extract the 'shiprocket_nonce' (or similar security token) from the page source or global JavaScript objects (e.g., sr_admin_params). 3. Target Identification: The attacker identifies the ID of the object they wish to manipulate (e.g., a WooCommerce order ID or Shiprocket shipment ID). 4. Unauthorized Request: The attacker sends a POST request to /wp-admin/admin-ajax.php with the following parameters: - action: shiprocket_cancel_order (or other vulnerable action identified in the codebase) - order_id: [Target Object ID] - security: [Extracted Nonce] 5. Result: Because the plugin fails to verify the user's capabilities (current_user_can), the action is executed successfully on the target ID regardless of the attacker's permissions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/36e8a99e-47ae-4102-b056-624eca381161?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database