CVE-2025-30915: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-30915) was discovered in enituretechnology's Small Package Quotes – Worldwide Express Edition plugin affecting versions through 5.2.19. The vulnerability was disclosed on April 3, 2025, and involves incorrectly configured access control security levels (NVD, Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in low-level impacts to integrity and availability (NVD, Patchstack).

The broken access control vulnerability allows unprivileged users to execute certain higher privileged actions. The vulnerability is considered moderately dangerous and is expected to become exploited in the wild (Patchstack).

The vulnerability has been fixed in version 5.2.20 of the Small Package Quotes – Worldwide Express Edition plugin. Users are advised to update to this version or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).