CVE-2026-9240 in Colissimo Officiel Plugininfo

Summary

by MITRE • 07/09/2026

The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod() function (registered to the wp_ajax_lpc_order_affect AJAX action) in versions up to, and including, 2.9.0. This is due to the handler performing no current_user_can() capability check and no nonce verification before reading an attacker-supplied order_id and modifying that order's shipping method, pickup-point meta, and shipping address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or modify the shipment information (shipping method, pickup relay data, and shipping address) of arbitrary WooCommerce orders, including orders placed by other users.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in the Colissimo Officiel plugin for WordPress represents a critical authorization flaw that undermines the integrity of e-commerce operations within the WooCommerce ecosystem. This security weakness exists in versions up to and including 2.9.0, where the updateShippingMethod() function fails to implement proper access controls when processing AJAX requests through the wp_ajax_lpc_order_affect action. The absence of capability verification creates a pathway for malicious actors to manipulate shipment data without proper authorization, directly violating fundamental security principles of least privilege and access control that are essential in web application security.

The technical implementation of this vulnerability stems from the plugin's failure to validate user permissions before executing sensitive operations. Specifically, the handler lacks both current_user_can() checks and nonce verification mechanisms that would normally prevent unauthorized modifications to order data. This omission allows attackers to supply arbitrary order_id parameters through the AJAX endpoint, enabling them to modify shipping methods, pickup-point metadata, and complete shipping addresses for any order within the system. The vulnerability is particularly concerning because it operates at the administrative level of order management, where changes to shipment information can have significant financial and operational implications.

The operational impact of this vulnerability extends beyond simple data modification, creating potential vectors for fraud and service disruption within WooCommerce environments. Authenticated attackers with Subscriber-level access or higher can exploit this weakness to alter shipment details for orders belonging to other users, potentially redirecting packages to unauthorized locations or changing shipping methods to more expensive options. This capability directly conflicts with the principles outlined in CWE-285, which addresses insufficient authorization checks that allow unauthorized access to protected resources. The vulnerability essentially transforms legitimate user accounts into potential tools for order manipulation, undermining trust in the integrity of the e-commerce platform.

From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1078.004, which describes valid accounts being used to perform unauthorized actions within systems. Attackers can leverage existing user credentials to gain access to administrative functions without requiring elevated privileges or complex attack chains. The attack surface is further expanded by the fact that any user with Subscriber-level access can potentially exploit this issue, making it particularly dangerous in environments where multiple users have varying levels of system access. Organizations should consider this vulnerability as part of their broader security posture assessment, particularly in relation to supply chain attacks and insider threats.

The recommended mitigations for this vulnerability include immediate plugin updates to versions that implement proper capability checks and nonce verification, along with comprehensive user access reviews to ensure appropriate privilege levels are maintained. System administrators should also implement additional monitoring mechanisms to detect unauthorized order modifications and consider implementing rate limiting on AJAX endpoints to prevent automated exploitation attempts. Organizations should conduct thorough security assessments of all plugins and themes to identify similar authorization gaps, as this vulnerability demonstrates how seemingly minor implementation oversights can create significant security risks in e-commerce platforms.

Responsible

Wordfence

Reservation

05/21/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!