CVE-2025-63023

MEDIUM
2025-12-09 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.3

Tags

WordPress Woocommerce PHP Authentication Bypass

Description

Missing Authorization vulnerability in Easy Payment Payment Gateway for PayPal on WooCommerce woo-paypal-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway for PayPal on WooCommerce: from n/a through <= 9.0.53.

Analysis

Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw in the woo-paypal-gateway WordPress plugin. The plugin fails to properly validate user permissions before exposing sensitive functionality or data related to PayPal payment gateway operations. WordPress plugins extending WooCommerce's payment processing capabilities must implement role-based access controls to restrict sensitive endpoints and API calls to authenticated administrative users. This plugin's broken access control allows unauthenticated attackers to enumerate or retrieve payment-related information by directly accessing unprotected endpoints over the network, bypassing the expected authorization checks that should gate access to PayPal configuration, transaction logs, or other sensitive payment data.

Affected Products

Payment Gateway for PayPal on WooCommerce (woo-paypal-gateway) plugin versions from initial release through version 9.0.53 are affected. The plugin extends WooCommerce e-commerce functionality and is distributed via WordPress plugin repositories. CPE identifier and exact version ranges confirm vulnerability in all builds up to and including version 9.0.53.

Remediation

Update Payment Gateway for PayPal on WooCommerce plugin to version 9.0.54 or later immediately via WordPress admin dashboard (Plugins > Installed Plugins > Update). Verify the update completes successfully and test basic payment gateway functionality. If automatic updates are disabled, manually download the patched version from the official WordPress plugin repository or vendor source. For sites unable to update immediately, implement WordPress security hardening by restricting admin panel access via IP whitelisting and disabling direct access to plugin files via .htaccess or web server configuration. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-paypal-gateway/vulnerability/wordpress-payment-gateway-for-paypal-on-woocommerce-plugin-9-0-52-broken-access-control-vulnerability for detailed remediation steps.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-63023 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy