CVE-2026-9240: CWE-862 Missing Authorization in iscpcolissimo Colissimo shipping methods for WooCommerce
The Colissimo Officiel plugin for WooCommerce contains a missing authorization vulnerability in its updateShippingMethod() function. This flaw allows authenticated users with Subscriber-level access or higher to modify shipping details of any WooCommerce order without proper permission checks. The vulnerability affects versions up to and including 2.9.0. It enables unauthorized modification of shipping method, pickup-point metadata, and shipping address for arbitrary orders.
AI Analysis
Technical Summary
CVE-2026-9240 describes a missing authorization vulnerability (CWE-862) in the Colissimo Officiel plugin for WooCommerce. The updateShippingMethod() function, triggered by the wp_ajax_lpc_order_affect AJAX action, lacks a current_user_can() capability check and nonce verification. As a result, authenticated attackers with minimal privileges can supply an order_id and modify shipment information of orders they do not own. This vulnerability affects all versions up to and including 2.9.0 of the plugin.
Potential Impact
An attacker with Subscriber-level or higher access can alter shipping methods, pickup relay data, and shipping addresses of arbitrary WooCommerce orders. This unauthorized modification can lead to order fulfillment errors, potential fraud, or disruption of shipping processes. There is no impact on confidentiality or availability reported, but integrity of order shipment data is compromised.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict user roles to trusted users only and monitor for suspicious changes to order shipment data. Avoid granting Subscriber-level or higher access to untrusted users. Follow vendor updates for an official patch or temporary fix.
CVE-2026-9240: CWE-862 Missing Authorization in iscpcolissimo Colissimo shipping methods for WooCommerce
Description
The Colissimo Officiel plugin for WooCommerce contains a missing authorization vulnerability in its updateShippingMethod() function. This flaw allows authenticated users with Subscriber-level access or higher to modify shipping details of any WooCommerce order without proper permission checks. The vulnerability affects versions up to and including 2.9.0. It enables unauthorized modification of shipping method, pickup-point metadata, and shipping address for arbitrary orders.
CVSS v3.1
Score 4.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9240 describes a missing authorization vulnerability (CWE-862) in the Colissimo Officiel plugin for WooCommerce. The updateShippingMethod() function, triggered by the wp_ajax_lpc_order_affect AJAX action, lacks a current_user_can() capability check and nonce verification. As a result, authenticated attackers with minimal privileges can supply an order_id and modify shipment information of orders they do not own. This vulnerability affects all versions up to and including 2.9.0 of the plugin.
Potential Impact
An attacker with Subscriber-level or higher access can alter shipping methods, pickup relay data, and shipping addresses of arbitrary WooCommerce orders. This unauthorized modification can lead to order fulfillment errors, potential fraud, or disruption of shipping processes. There is no impact on confidentiality or availability reported, but integrity of order shipment data is compromised.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict user roles to trusted users only and monitor for suspicious changes to order shipment data. Avoid granting Subscriber-level or higher access to untrusted users. Follow vendor updates for an official patch or temporary fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-21T18:54:54.933Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4f798268715ace432895aa
Added to database: 07/09/2026, 10:35:46 UTC
Last enriched: 07/09/2026, 10:47:58 UTC
Last updated: 07/09/2026, 11:27:06 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.