CVE-2025-62870

MEDIUM
2025-12-09 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.3

Tags

WordPress Woocommerce PHP Authentication Bypass

Description

Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eupago Gateway For Woocommerce: from n/a through <= 4.7.1.

Analysis

Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.

Technical Context

This vulnerability stems from CWE-862 (Missing Authorization), a failure to enforce proper access control checks on protected resources or operations. In the context of the Eupago Gateway For Woocommerce plugin, the issue involves endpoints or functions that should restrict access to authenticated users or administrators but instead fail to validate user privileges before executing state-changing operations. The plugin, which handles payment processing integration with WooCommerce, lacks proper capability checks on critical functions, allowing unauthenticated attackers to interact with protected functionality through direct HTTP requests. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation requiring no user interaction.

Affected Products

Eupago Gateway For Woocommerce from version 1.0 through 4.7.1 is affected. The plugin integrates payment gateway functionality with WooCommerce (WordPress e-commerce platform). According to Patchstack vulnerability database, the vulnerability has been documented for the WordPress plugin ecosystem, indicating all installations of the Eupago Gateway plugin at version 4.7.1 or earlier running on WordPress sites are potentially vulnerable.

Remediation

Upgrade Eupago Gateway For Woocommerce to version 4.7.2 or later, which includes corrected access control checks. Site administrators should immediately update the plugin via the WordPress admin dashboard (Plugins > Installed Plugins > Eupago Gateway For Woocommerce > Update) or download the patched version from wordpress.org. For organizations unable to immediately patch, ensure the WordPress site runs behind a Web Application Firewall (WAF) that can detect and block unauthorized API calls to payment processing endpoints, though this is not a substitute for patching. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/eupago-gateway-for-woocommerce/vulnerability/wordpress-eupago-gateway-for-woocommerce-plugin-4-6-3-broken-access-control-vulnerability) for detailed remediation guidance.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-62870 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy