CVE-2025-49339

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Digages Direct Payments WP direct-payments-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Direct Payments WP: from n/a through <= 1.3.2.

Analysis

Missing authorization in the Direct Payments WP WordPress plugin version 1.3.2 and earlier allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels, potentially gaining unauthorized access to payment functionality. This authentication bypass vulnerability affects all users of the plugin up to version 1.3.2, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the missing CVSS rating.

Technical Context

The vulnerability stems from improper access control implementation in the Direct Payments WP WordPress plugin, classified under CWE-862 (Missing Authorization). WordPress plugins rely on capability-checking functions (such as current_user_can()) to gate access to sensitive functionality. This plugin fails to properly validate user permissions before exposing payment-related operations, allowing the security model to be bypassed through direct requests or parameter manipulation. The vulnerability affects the plugin's core payment processing logic, which should be restricted to authenticated administrators or specific roles with proper authorization checks.

Affected Products

The Direct Payments WP WordPress plugin is affected in all versions from an unspecified baseline through version 1.3.2. The plugin is distributed via the WordPress plugin ecosystem (CPE context: wfn:2.3:a:digages:direct_payments_wp or similar). Affected organizations should check their WordPress plugin inventory for any installation of Direct Payments WP at version 1.3.2 or earlier against the vendor advisory on Patchstack.

Remediation

Update the Direct Payments WP plugin to a version newer than 1.3.2 immediately, as the vendor has released patched versions addressing the authorization bypass. Users should navigate to their WordPress plugin dashboard, locate Direct Payments WP, and click the update button if available, or manually download the latest version from the WordPress plugin repository. For detailed patching information and verification, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-broken-access-control-vulnerability. Until patched, restrict direct payment plugin access to trusted administrators only via WordPress role management.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-49339 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy