Skip to main content

Woocommerce CVE-2025-62870

MEDIUM
Missing Authorization (CWE-862)
2025-12-09 audit@patchstack.com
WordPress Woocommerce PHP Authentication Bypass
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eupago Gateway For Woocommerce: from n/a through <= 4.7.1.

AnalysisAI

Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a failure to enforce proper access control checks on protected resources or operations. In the context of the Eupago Gateway For Woocommerce plugin, the issue involves endpoints or functions that should restrict access to authenticated users or administrators but instead fail to validate user privileges before executing state-changing operations. The plugin, which handles payment processing integration with WooCommerce, lacks proper capability checks on critical functions, allowing unauthenticated attackers to interact with protected functionality through direct HTTP requests. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation requiring no user interaction.

Affected ProductsAI

Eupago Gateway For Woocommerce from version 1.0 through 4.7.1 is affected. The plugin integrates payment gateway functionality with WooCommerce (WordPress e-commerce platform). According to Patchstack vulnerability database, the vulnerability has been documented for the WordPress plugin ecosystem, indicating all installations of the Eupago Gateway plugin at version 4.7.1 or earlier running on WordPress sites are potentially vulnerable.

RemediationAI

Upgrade Eupago Gateway For Woocommerce to version 4.7.2 or later, which includes corrected access control checks. Site administrators should immediately update the plugin via the WordPress admin dashboard (Plugins > Installed Plugins > Eupago Gateway For Woocommerce > Update) or download the patched version from wordpress.org. For organizations unable to immediately patch, ensure the WordPress site runs behind a Web Application Firewall (WAF) that can detect and block unauthorized API calls to payment processing endpoints, though this is not a substitute for patching. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/eupago-gateway-for-woocommerce/vulnerability/wordpress-eupago-gateway-for-woocommerce-plugin-4-6-3-broken-access-control-vulnerability) for detailed remediation guidance.

Share

CVE-2025-62870 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy