CVE-2025-68051
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Shiprocket WordPress plugin that allows attackers to bypass authorization by manipulating user-controlled keys. Attackers can access or modify data belonging to other users by exploiting incorrectly configured access controls. This affects all WordPress sites running Shiprocket plugin versions up to and including 2.0.8.
💻 Affected Systems
- Shiprocket WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user data including personal information, order details, and shipping data; potential for data exfiltration, account takeover, or unauthorized administrative actions.
Likely Case
Unauthorized access to other users' shipping information, order details, and personal data; potential for data leakage and privacy violations.
If Mitigated
Limited impact with proper access controls, logging, and monitoring in place; unauthorized access attempts would be detected and blocked.
🎯 Exploit Status
Exploitation requires at least low-privilege user access; IDOR vulnerabilities are commonly exploited in real-world attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 2.0.8
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Shiprocket plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove plugin
6. Install latest version from WordPress repository
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Shiprocket plugin until patched version is available
wp plugin deactivate shiprocket
Web Application Firewall Rules
allImplement WAF rules to detect and block IDOR attack patterns
🧯 If You Can't Patch
- Implement strict access control checks at application layer
- Enable detailed logging and monitoring for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Shiprocket versionCheck Version:
wp plugin list --name=shiprocket --field=versionVerify Fix Applied:
Verify Shiprocket plugin version is > 2.0.8 in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to shipping/order endpoints
- Requests with manipulated object IDs
- Failed authorization attempts for user data access
Network Indicators:
- HTTP requests with sequential or predictable object IDs
- Unauthorized API calls to shipping endpoints
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/shiprocket/*" OR uri_path="/wp-admin/admin-ajax.php") AND (status_code=200 OR status_code=403) AND user_agent!="bot"