CVE-2025-26764: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-26764 affects the WordPress Distance Based Shipping Calculator plugin versions 2.0.22 and below. This security issue was discovered and reported by Kévin Mosbahi (Mika) on December 30, 2024, and was publicly disclosed on February 14, 2025. The vulnerability is characterized as a Missing Authorization issue that allows unauthenticated settings changes (Patchstack).

The vulnerability has been assigned a CVSS score of 6.5 (Medium severity) and is classified under the OWASP Top 10 category A1: Broken Access Control. The issue specifically relates to a Settings Change vulnerability that can be exploited without authentication (Patchstack).

This vulnerability is considered moderately dangerous and is expected to become exploited. The impact allows unauthorized users to modify settings within the Distance Based Shipping Calculator plugin, potentially affecting the shipping calculations and configurations of affected WordPress installations (Patchstack).

The vulnerability has been fixed in version 2.0.23 of the Distance Based Shipping Calculator plugin. Users are advised to update to version 2.0.23 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).