CVE-2025-23766: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-23766) was identified in the OPSI Israel Domestic Shipments WordPress plugin, affecting versions up to and including 2.6.6. The vulnerability was discovered by researcher Kévin Mosbahi (Mika) and was publicly disclosed on January 16, 2025. The issue stems from missing capability checks in the plugin's functionality, potentially allowing unauthorized access to certain features (WPScan, Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The security flaw is characterized by broken access control, specifically relating to missing authorization checks that could allow unauthenticated users to perform privileged actions (Patchstack).

The vulnerability enables unauthenticated attackers to perform unauthorized actions within the plugin's functionality. The CVSS score of 6.5 indicates moderate severity, with potential impacts on both integrity and availability of the affected systems (Patchstack).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).