Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57341

CVE-2026-57341: Colissimo Officiel IDOR Vulnerability

CVE-2026-57341 is an unauthenticated IDOR flaw in Colissimo Officiel plugin for WooCommerce that allows unauthorized access to sensitive data. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-57341 Overview

CVE-2026-57341 is an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability affecting the Colissimo Officiel: Méthodes de livraison pour WooCommerce plugin for WordPress. The flaw impacts all plugin versions up to and including 2.9.0. Attackers can access or manipulate resources belonging to other users by supplying predictable object identifiers over the network without any authentication. The weakness is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). Successful exploitation can result in limited integrity and availability impact against WooCommerce shipping-related data.

Critical Impact

Remote, unauthenticated attackers can reference internal Colissimo shipping objects belonging to other customers, exposing order-linked data and altering shipping records.

Affected Products

  • Colissimo Officiel: Méthodes de livraison pour WooCommerce plugin versions <= 2.9.0
  • WordPress sites running WooCommerce with the affected plugin installed
  • E-commerce environments using Colissimo shipping integration

Discovery Timeline

  • 2026-06-29 - CVE-2026-57341 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-57341

Vulnerability Analysis

The plugin exposes endpoints that reference internal objects using user-controlled identifiers without verifying whether the requesting party is authorized to access them. Because the affected endpoints do not require authentication, any remote attacker can iterate through identifiers and interact with shipping records tied to arbitrary orders or customers. The IDOR pattern here matches CWE-639, where authorization checks rely on the assumption that identifiers remain secret rather than enforcing per-request access control.

Root Cause

The root cause is missing authorization enforcement on request handlers that accept an object identifier as input. The plugin trusts the supplied key to determine which shipping resource to read or modify, and it omits ownership checks that would tie a request to an authenticated session or an order token. This design flaw allows lateral access across resources belonging to different WooCommerce customers.

Attack Vector

Exploitation occurs over the network with low attack complexity and no authentication or user interaction. An attacker sends crafted HTTP requests to the vulnerable plugin endpoints, substituting object identifiers to enumerate or manipulate shipping records. The confidentiality impact is none per the CVSS vector, while integrity and availability each carry low impact — attackers can alter or disrupt shipping-related data without exposing sensitive credentials.

No verified proof-of-concept code has been published. Refer to the Patchstack Vulnerability Advisory for further technical context.

Detection Methods for CVE-2026-57341

Indicators of Compromise

  • Unusual bursts of unauthenticated HTTP requests to Colissimo plugin endpoints containing sequential or enumerated numeric identifiers.
  • Web server access logs showing repeated 200 OK responses to unauthenticated requests referencing distinct order or shipping IDs from a single source.
  • Unexpected modifications to WooCommerce shipping records or Colissimo tracking metadata without a matching customer session.

Detection Strategies

  • Inspect access logs for requests to Colissimo plugin routes that lack an authenticated session cookie but include object identifier parameters.
  • Alert on high-cardinality identifier enumeration from a single IP address within a short time window.
  • Correlate WooCommerce order state changes with the presence or absence of an authenticated user session.

Monitoring Recommendations

  • Enable verbose logging on the WordPress site and forward web access logs to a centralized SIEM for query and retention.
  • Track baselines for anonymous traffic to plugin endpoints and alert on deviations.
  • Monitor plugin version inventory across managed WordPress deployments to identify hosts still running vulnerable releases.

How to Mitigate CVE-2026-57341

Immediate Actions Required

  • Upgrade the Colissimo Officiel plugin to a version later than 2.9.0 once the vendor publishes a fixed release.
  • Audit WooCommerce order and shipping records for unauthorized modifications since the plugin was installed.
  • Restrict administrative access to the WordPress backend and rotate credentials for accounts with plugin management permissions.

Patch Information

At the time of NVD publication, the advisory covers all versions <= 2.9.0. Consult the Patchstack Vulnerability Advisory for the latest fixed version and vendor guidance.

Workarounds

  • Deploy a web application firewall (WAF) rule to block unauthenticated requests to the affected plugin endpoints.
  • Temporarily disable the Colissimo Officiel plugin on sites that cannot upgrade until a patched release is available.
  • Apply virtual patching via Patchstack or an equivalent WordPress protection service to intercept exploit attempts.
bash
# Example WAF rule concept: block unauthenticated access to Colissimo plugin endpoints
# Adjust path and header checks to match your deployment
SecRule REQUEST_URI "@rx /wp-content/plugins/colissimo-shipping-methods-for-woocommerce/" \
  "id:1057341,phase:1,deny,status:403,log,\
   msg:'CVE-2026-57341 IDOR attempt against Colissimo plugin',\
   chain"
  SecRule &REQUEST_COOKIES:wordpress_logged_in "@eq 0"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.