CVE-2026-25317
Published: 25 March 2026
Summary
CVE-2026-25317 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly preventing exploitation of the missing authorization vulnerability in the WooCommerce plugin.
SI-2 requires timely identification, reporting, and correction of flaws, such as patching the vulnerable woocommerce-delivery-notes plugin beyond version 5.9.0.
SC-5 protects against denial-of-service events, mitigating the high availability disruption caused by unauthenticated exploitation of the access control flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in public-facing WordPress plugin enables unauthenticated remote exploitation causing application crash/DoS (T1190 for public app exploitation; T1499.004 for application/system exploitation leading to availability impact).
NVD Description
Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.9.0.
Deeper analysisAI
CVE-2026-25317 is a missing authorization vulnerability (CWE-862) in the Print Invoice & Delivery Notes for WooCommerce WordPress plugin developed by tychesoftwares. The flaw, which involves exploiting incorrectly configured access control security levels, affects all versions of the woocommerce-delivery-notes plugin up to and including 5.9.0. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impact with no privileges required.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation leads to high availability disruption, such as crashing the affected WordPress site or plugin functionality, without impacting confidentiality or integrity.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woocommerce-delivery-notes/vulnerability/wordpress-print-invoice-delivery-notes-for-woocommerce-plugin-5-9-0-broken-access-control-vulnerability?_s_id=cve details the broken access control issue in version 5.9.0 and recommends updating to a patched version beyond 5.9.0 to mitigate the vulnerability.
Details
- CWE(s)