{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25365", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-25T16:14:45.681Z", "dateUpdated": "2026-03-26T16:50:46.664Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "kargo-takip-turkiye", "product": "Kargo Takip", "vendor": "\u00d6zg\u00fcr KARALAR", "versions": [{"changes": [{"at": "0.2.4", "status": "unaffected"}], "lessThanOrEqual": "< 0.2.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:24.212Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Kargo Takip: from n/a through < 0.2.4.</p>"}], "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.681Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/kargo-takip-turkiye/vulnerability/wordpress-kargo-takip-plugin-0-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Kargo Takip plugin < 0.2.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25365", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:30.391973Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:50:46.664Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25365", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:30.391973Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:14.750Z"}}], "cna": {"title": "WordPress Kargo Takip plugin < 0.2.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "\u00d6zg\u00fcr KARALAR", "product": "Kargo Takip", "versions": [{"status": "affected", "changes": [{"at": "0.2.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 0.2.4"}], "packageName": "kargo-takip-turkiye", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:24.212Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/kargo-takip-turkiye/vulnerability/wordpress-kargo-takip-plugin-0-2-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Kargo Takip: from n/a through < 0.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.681Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25365", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:40:31.475Z", "dateReserved": "2026-02-02T12:52:55.300Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:45.681Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye permite explotar niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a Kargo Takip: desde n/a hasta &lt; 0.2.4."}], "id": "CVE-2026-25365", "lastModified": "2026-03-26T17:16:30.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:47.420", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/kargo-takip-turkiye/vulnerability/wordpress-kargo-takip-plugin-0-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.2.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kargo Takip", "source": "cna", "vendor": "\u00d6zg\u00fcr KARALAR"}, "product": "kargo_takip", "vendor": "\u00f6zg\u00fcr_karalar"}], "analysis": {"en": {"generated_at": "2026-03-25T17:59:53.568915+00:00", "value": {"mitigation_remediation": ["Upgrade the Kargo Takip plugin to version 0.2.4 or later.", "Verify that the WordPress installation and all related plugins are on their latest secure versions.", "Check the site\u2019s access control settings to ensure no unintended permissions remain exposed."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Deployments that use the Kargo Takip plugin run at risk when installed on a WordPress site, particularly versions predating 0.2.4. The product is distributed by \u00d6zg\u00fcr\u202fKARALAR and is intended for Turkish cargo tracking integration. Any WordPress installation featuring the plugin before the 0.2.4 update is affected; newer releases are not. Administrators should verify the exact plugin version in use and confirm whether it falls within the vulnerable range.", "description_and_impact": "A missing authorization flaw in the \u00d6zg\u00fcr\u202fKARALAR Kargo Takip WordPress plugin allows attackers to gain unauthorized access to protected resources by exploiting incorrectly configured access control security levels. The vulnerability means that users who do not have proper permissions can potentially view or manipulate tracking data that should be restricted, compromising the confidentiality and integrity of delivery information. The weakness is classified as a broken access control issue, preventing the separation of duties expected by the application.", "risk_and_exploitability": "The CVE record does not provide a CVSS score or EPSS likelihood, and the vulnerability is not included in the CISA KEV catalog, indicating limited publicly documented exploitation. Still, the nature of the flaw allows remote actors to traverse authentication barriers without additional credentials, suggesting a potentially high impact if the plugin handles sensitive logistics data. Attackers would need to target the WordPress site and interact with the plugin\u2019s API or web interface, a path that is typically reachable over the network. Organisations with unpatched deployments should treat this as a significant risk until an update is applied."}}}}, "created": "2026-03-25T21:44:51.037711+00:00", "updated": "2026-03-26T11:38:45.880263+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "\u00f6zg\u00fcr_karalar", "\u00f6zg\u00fcr_karalar$PRODUCT$kargo_takip"]}