Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57760

CVE-2026-57760: Sendcloud Shipping Auth Bypass Flaw

CVE-2026-57760 is an authorization bypass vulnerability in Sendcloud Shipping that allows attackers to exploit misconfigured access controls. This article covers technical details, affected versions up to 1.0.29, and mitigation.

Published:

CVE-2026-57760 Overview

CVE-2026-57760 is a Missing Authorization vulnerability [CWE-862] in the Sendcloud Shipping WordPress plugin. The flaw affects all plugin versions up to and including 1.0.29. The vulnerability stems from incorrectly configured access control security levels on plugin endpoints. Attackers can reach protected functionality over the network without authentication or user interaction. Successful exploitation results in limited integrity impact, allowing unauthorized modification of data managed by the plugin. Confidentiality and availability are not affected. Site owners running the Sendcloud Connected Shipping plugin should upgrade to a fixed release once available from the vendor.

Critical Impact

Unauthenticated network attackers can exploit broken access control to invoke restricted plugin functions and tamper with shipping-related data on affected WordPress sites.

Affected Products

  • Sendcloud Shipping WordPress plugin versions through 1.0.29
  • WordPress sites using the sendcloud-connected-shipping plugin
  • E-commerce deployments integrating Sendcloud shipping workflows

Discovery Timeline

  • 2026-07-02 - CVE-2026-57760 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-57760

Vulnerability Analysis

The Sendcloud Shipping plugin exposes functionality through WordPress action handlers and REST endpoints. The plugin fails to enforce proper authorization checks on one or more of these entry points. As a result, requests that should require an authenticated administrator or shop manager role can be issued anonymously. This is a classic broken access control weakness classified under [CWE-862] Missing Authorization.

Because the attack vector is network-based and requires no privileges or user interaction, the endpoints are directly reachable from the public internet. The impact is limited to integrity, indicating that an attacker can modify state exposed by the vulnerable endpoint but cannot exfiltrate sensitive data or take the site offline through this issue alone.

Root Cause

The root cause is the absence or misconfiguration of capability checks and nonce verification within plugin request handlers. WordPress plugins are expected to validate the caller with functions such as current_user_can() and to verify request nonces with check_ajax_referer() or wp_verify_nonce(). When these checks are omitted or applied to the wrong endpoints, restricted actions become invocable by unauthenticated users.

Attack Vector

An unauthenticated remote attacker sends crafted HTTP requests to the vulnerable plugin endpoint on a target WordPress site. Because no authentication, privileges, or user interaction are required, exploitation can be automated at scale against sites running Sendcloud Shipping through version 1.0.29. Refer to the Patchstack WordPress Vulnerability advisory for endpoint-level technical detail.

No verified public exploit code is available for CVE-2026-57760.
See the Patchstack advisory linked above for endpoint details.

Detection Methods for CVE-2026-57760

Indicators of Compromise

  • Unauthenticated HTTP POST or GET requests to Sendcloud plugin endpoints under /wp-admin/admin-ajax.php or /wp-json/ paths originating from unexpected IP ranges.
  • Unexpected changes to shipping configuration, order shipment records, or Sendcloud integration settings without a corresponding administrator session.
  • WordPress access logs showing plugin action parameters invoked without a logged-in user cookie.

Detection Strategies

  • Review web server and WordPress access logs for requests targeting sendcloud action names or REST routes that lack authentication cookies.
  • Correlate plugin state changes in the database with administrative session activity to identify writes that have no matching authenticated user.
  • Deploy a Web Application Firewall (WAF) signature that flags anonymous requests to Sendcloud plugin endpoints.

Monitoring Recommendations

  • Enable WordPress audit logging to capture plugin option changes, order edits, and REST API calls.
  • Alert on spikes in traffic to admin-ajax.php with action=sendcloud* parameters from a single source.
  • Monitor plugin version inventory across managed WordPress fleets to identify hosts still running Sendcloud Shipping 1.0.29 or earlier.

How to Mitigate CVE-2026-57760

Immediate Actions Required

  • Update the Sendcloud Shipping plugin to the vendor-supplied fixed version as soon as it becomes available.
  • Restrict access to /wp-admin/ and /wp-json/ endpoints at the WAF or reverse proxy layer to trusted networks where feasible.
  • Audit recent plugin-related database writes and shipping configuration changes for signs of tampering.

Patch Information

Refer to the Patchstack advisory for the latest fixed version and vendor patch details. Sites running the plugin through version 1.0.29 are affected and must upgrade.

Workarounds

  • Temporarily deactivate the Sendcloud Shipping plugin until a patched release is installed.
  • Apply virtual patching rules in a WAF to block unauthenticated requests to Sendcloud plugin action names and REST routes.
  • Enforce IP allowlisting on WordPress administrative and REST endpoints for environments where external access is not required.
bash
# Example nginx rule to block unauthenticated access to Sendcloud plugin actions
location = /wp-admin/admin-ajax.php {
    if ($arg_action ~* "^sendcloud") {
        set $block 1;
    }
    if ($http_cookie !~* "wordpress_logged_in") {
        set $block "${block}1";
    }
    if ($block = "11") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.