{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39602", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:50.116Z", "datePublished": "2026-04-08T08:30:21.845Z", "dateUpdated": "2026-04-08T08:30:21.845Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "order-tracking", "product": "Order Tracking", "vendor": "Rustaurius", "versions": [{"lessThanOrEqual": "3.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.998Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Order Tracking: from n/a through <= 3.4.3.</p>"}], "value": "Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:21.845Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/order-tracking/vulnerability/wordpress-order-tracking-plugin-3-4-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Order Tracking plugin <= 3.4.3 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3."}], "id": "CVE-2026-39602", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:29.340", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/order-tracking/vulnerability/wordpress-order-tracking-plugin-3-4-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Order Tracking", "source": "cna", "vendor": "Rustaurius"}, "product": "order_tracking", "vendor": "rustaurius"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:35:22.162802+00:00", "value": {"mitigation_remediation": ["Upgrade the Rustaurius Order Tracking plugin to the latest version that addresses the missing authorization flaw (e.g., 3.5 or newer).", "Confirm that the updated plugin enforces proper role checks so that only authorized users can view order information.", "If an update cannot be applied immediately, deactivate or uninstall the plugin to remove the access path.", "Audit site logs for any unauthorized access attempts to order data and consider tightening general WordPress permissions or deploying a web application firewall."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to Order Information"}, "threat_synthesis": {"affected_systems": "All installations of the Rustaurius Order Tracking plugin with a version number 3.4.3 or earlier are affected. The plugin is widely deployed on WordPress sites that process customer orders. The advisory indicates that newer releases should contain a fix, though no specific patch version is cited.", "description_and_impact": "An unauthorized access vulnerability exists in the Rustaurius Order Tracking WordPress plugin up to version 3.4.3. The flaw is a missing authorization check that allows any visitor to retrieve detailed order information. Exposing such data can compromise customer privacy, undermine business confidentiality, and potentially lead to financial damage if the information is misused.", "risk_and_exploitability": "No publicly listed severity score is available, yet the absence of an access control check suggests a high risk of exploitation. Based on the description, it is inferred that an attacker can reach vulnerable plugin endpoints from anywhere on the web, bypassing authentication to read order data. This could be performed by unauthenticated users or users with limited privileges, exposing sensitive transaction details to anyone who can trigger the flaw."}}}}, "created": "2026-04-08T19:29:57.641099+00:00", "updated": "2026-04-08T19:42:16.358832+00:00", "vendors": ["rustaurius", "rustaurius$PRODUCT$order_tracking", "wordpress", "wordpress$PRODUCT$wordpress"]}