What the vulnerability does
01Description
Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiParcels Shipping For WooCommerce: from n/a through <= 1.30.12.
Explanation of Vulnerability in Simple Terms
02Summary
MultiParcels Shipping For WooCommerce versions up to 1.30.12 lack proper authorization checks on certain functions. A logged-in user with low privileges can modify shipping data or settings they should not have access to. The vulnerability does not expose sensitive information or cause service disruption, but allows unauthorized changes to plugin configuration.
What an attacker can do
03Attacker Capabilities
Modify shipping settings or data without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can alter shipping configurations, potentially disrupting order fulfillment or exposing business logic.
Conditions required to exploit
05Prerequisites
Attacker must be logged in to the WordPress site with a low-privilege account (e.g., subscriber or customer).
Key dates
06Disclosure timeline
December 9, 2025
CVE published
April 28, 2026
Record updated