The vulnerability identified as CVE-2026-25419 affects the flycart UpsellWP plugin through a missing authorization control in its checkout-upsell-and-order-bumps feature. This allows users with limited privileges to potentially access or manipulate functionality that should be restricted, due to incorrectly configured access control security levels. The issue affects versions up to 2.2.5. The CVSS 3.1 vector indicates the attack requires network access, low attack complexity, low privileges, no user interaction, and impacts confidentiality only, without affecting integrity or availability.

The impact is limited to a confidentiality loss, as indicated by the CVSS vector (C:L/I:N/A:N). There is no indication of integrity or availability impact. No known exploitation in the wild has been reported. The medium severity rating reflects that the vulnerability could allow unauthorized access to some information or functionality but does not enable full compromise or denial of service.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix links are provided, users should monitor flycart's official channels for updates. Until a fix is available, review and tighten access control configurations related to the checkout-upsell-and-order-bumps feature where possible to limit exposure.