Skip to main content
CVE Vulnerability Database

CVE-2026-9240: WordPress Colissimo Plugin Auth Bypass Flaw

CVE-2026-9240 is an authorization bypass vulnerability in the Colissimo Officiel plugin for WooCommerce that allows authenticated attackers to modify shipping data of any order. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-9240 Overview

CVE-2026-9240 affects the Colissimo Officiel: Méthodes de livraison pour WooCommerce plugin for WordPress in all versions up to and including 2.9.0. The updateShippingMethod() handler, registered to the wp_ajax_lpc_order_affect AJAX action, performs neither a current_user_can() capability check nor nonce verification. Authenticated attackers with Subscriber-level access can modify shipping method, pickup relay data, and shipping addresses on arbitrary WooCommerce orders, including orders placed by other users. The flaw is categorized as Broken Access Control [CWE-862].

Critical Impact

Subscriber-level attackers can tamper with any WooCommerce order's shipping method, pickup point, and delivery address, enabling package redirection and order fraud.

Affected Products

  • Colissimo Officiel: Méthodes de livraison pour WooCommerce plugin for WordPress
  • Versions up to and including 2.9.0
  • WordPress sites running WooCommerce with the vulnerable plugin installed

Discovery Timeline

  • 2026-07-09 - CVE-2026-9240 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-9240

Vulnerability Analysis

The vulnerability resides in the plugin's admin order handler at admin/orders/lpc_admin_order_affect.php. The updateShippingMethod() function is bound to the wp_ajax_lpc_order_affect AJAX action, which WordPress exposes to any authenticated user. The handler accepts an attacker-supplied order_id and rewrites that order's shipping method, pickup-point metadata, and shipping address without validating the caller's role or intent.

Because no current_user_can() check gates the operation, WordPress treats Subscribers, Customers, and higher roles as equivalent to shop administrators for this endpoint. The absence of nonce verification also removes the request-origin control that would otherwise limit cross-site abuse.

Root Cause

The root cause is a Missing Authorization flaw [CWE-862]. The AJAX handler assumes the caller is a store administrator based solely on authentication state. Two controls that WordPress guidance recommends are absent: capability verification through current_user_can() and request integrity verification through check_ajax_referer() or equivalent nonce validation.

Attack Vector

An authenticated attacker holding at least Subscriber privileges sends a crafted POST request to /wp-admin/admin-ajax.php with action=lpc_order_affect and a target order_id belonging to another customer. The handler updates the order's shipping method, pickup relay identifier, and shipping address to attacker-controlled values. This enables package redirection, delivery fraud, and manipulation of fulfillment records across the store.

No verified public exploit code is available. See the Wordfence Vulnerability Report and the WordPress Plugin Code Snippet for technical details.

Detection Methods for CVE-2026-9240

Indicators of Compromise

  • Unexpected POST requests to /wp-admin/admin-ajax.php with action=lpc_order_affect originating from low-privilege user sessions
  • WooCommerce order meta changes to _shipping_address_1, _shipping_city, _shipping_postcode, or pickup-point fields without a corresponding admin session
  • Shipping method reassignments on orders not owned by the acting user account
  • WordPress audit log entries showing Subscriber accounts triggering lpc_order_affect calls

Detection Strategies

  • Alert on any invocation of the wp_ajax_lpc_order_affect action by users whose role is not shop_manager or administrator
  • Correlate WooCommerce order modification events with the WordPress user role of the requester
  • Monitor for high-frequency AJAX requests iterating through sequential order_id values

Monitoring Recommendations

  • Enable a WordPress activity log plugin to capture order meta changes and AJAX action invocations
  • Forward web server access logs and WordPress audit events to a centralized logging platform for role-versus-action correlation
  • Review WooCommerce order edit history for unauthorized shipping address changes preceding fulfillment

How to Mitigate CVE-2026-9240

Immediate Actions Required

  • Update the Colissimo Officiel plugin to a version released after 2.9.0 that includes capability and nonce checks on updateShippingMethod()
  • Audit recent WooCommerce orders for unauthorized shipping method, pickup point, or address changes
  • Restrict Subscriber and Customer role registration if not required by the storefront
  • Review the WordPress Plugin Change Log to confirm the fix commit is present

Patch Information

The vulnerability is present in versions up to and including 2.9.0. Refer to the WordPress Plugin Change Log for the remediation commit and install the latest plugin release from the WordPress plugin repository.

Workarounds

  • Temporarily deactivate the Colissimo Officiel plugin until the patched version is installed
  • Deploy a web application firewall rule to block unauthenticated or Subscriber-level requests to admin-ajax.php carrying action=lpc_order_affect
  • Disable open user registration to reduce the pool of accounts able to reach the vulnerable endpoint
  • Enforce two-factor authentication on privileged WordPress accounts to limit escalation opportunities
bash
# Configuration example: block the vulnerable AJAX action at the web server layer until patched
# nginx snippet
location = /wp-admin/admin-ajax.php {
    if ($arg_action = "lpc_order_affect") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.