Colissimo Officiel WooCommerce Unauthorized Shipping Modification Vulnerability
The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod() function (registered to the wp_ajax_lpc_order_affect AJAX action) in versions up to, and including, 2.9.0. This is due to the handler performing no current_user_can() capability check and no nonce verification before reading an attacker-supplied order_id and modifying that order's shipping method, pickup-point meta, and shipping address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or modify the shipment information (shipping method, pickup relay data, and shipping address) of arbitrary WooCommerce orders, including orders placed by other users.
Quick answer
La Poste Colissimo Colissimo Officiel : Methodes de livraison pour WooCommerce should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Colissimo Officiel for WooCommerce up to and including 2.9.0
Fixed versions
- Apply the latest patched plugin release after 2.9.0
How to fix it
Colissimo Officiel for WooCommerce is affected by a missing capability and nonce check in updateShippingMethod through version 2.9.0. Update the plugin to a patched release and review WooCommerce orders for unauthorized shipping method or pickup-point changes. Prioritize stores that allow subscriber or customer accounts.
- Inventory WordPress and WooCommerce sites using the Colissimo Officiel plugin.
- Update the plugin to the latest patched release after 2.9.0.
- Restrict wp_ajax_lpc_order_affect handling to users with the correct order capability and nonce validation.
- Review WooCommerce orders, shipping methods, pickup relay metadata, and shipping addresses for unauthorized changes.
- Check subscriber-level account activity around order shipping updates.
- Clear WordPress and object caches after plugin updates.
- Rotate administrator credentials if unauthorized order modification is found.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the Colissimo Officiel plugin is patched beyond 2.9.0.
- Validate subscriber-level users cannot modify shipping data for arbitrary orders.
- Review WooCommerce and web server logs for wp_ajax_lpc_order_affect abuse.
- Test legitimate shipping method and pickup relay workflows after remediation.
- Run a Fixnx scan and confirm public WordPress/WooCommerce pages do not expose vulnerable behavior.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-9240?
La Poste Colissimo Colissimo Officiel : Methodes de livraison pour WooCommerce versions listed as affected should be reviewed: Colissimo Officiel for WooCommerce up to and including 2.9.0.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
