How to fix CVE-2025-66131?

Within 24 hours: Disable or deactivate Yaad Sarig Payment Gateway for WooCommerce plugin on all WordPress installations until patch availability is confirmed; audit transaction logs for suspicious access patterns. Within 7 days: Contact Yaad Sarig vendor for patch status and timeline; implement alternative payment gateway if no patch roadmap exists. Within 30 days: Deploy patched version (when released) or migrate to alternative payment processor; conduct forensic review of payment data access logs during vulnerable exposure period.

Is PHP affected by CVE-2025-66131?

Yaad Sarig Payment Gateway for WooCommerce (versions ≤2.2.11) contains a critical broken access control vulnerability (CVSS 9.1) that permits unauthenticated attackers to bypass authorization and access payment gateway functions, potentially exposing or manipulating sensitive payment data across…

CVE-2025-66131

CRITICAL

2025-12-16 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 16, 2025 - 09:15 nvd

CRITICAL 9.1

Description

Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.11.

Analysis

Broken access control in Yaad Sarig Payment Gateway for WooCommerce (versions ≤2.2.11) allows unauthenticated remote attackers to bypass authorization checks and gain unauthorized access to payment gateway functions. With CVSS 9.1 (Critical) scoring reflecting network-accessible exploitation requiring no privileges or user interaction, attackers can read or modify sensitive payment data. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite severity. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized transaction manipulation or data exposure in WordPress e-commerce environments.

Technical Context

This vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where an application fails to perform authorization checks before granting access to protected functionality. The Yaad Sarig Payment Gateway plugin integrates Israeli payment processor Yaad Sarig with WooCommerce, handling sensitive payment transactions and customer data. The missing authorization likely affects API endpoints or administrative functions that should verify user permissions before execution. In WordPress plugins, this commonly manifests through improperly secured AJAX handlers, REST API endpoints, or direct file access lacking capability checks (current_user_can() or nonce verification). The network attack vector (AV:N) and lack of required privileges (PR:N) indicate the vulnerable endpoints are directly accessible over HTTP/HTTPS without authentication, allowing any remote attacker to invoke privileged payment gateway operations as if they were authorized administrators or the payment system itself.

Affected Products

The vulnerability affects the Yaad Sarig Payment Gateway For WC WordPress plugin, specifically all versions up to and including 2.2.11. This plugin integrates the Yaad Sarig payment processing service with WooCommerce e-commerce platforms, primarily serving Israeli merchants. The vendor advisory and technical details are documented in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/yaad-sarig-payment-gateway-for-wc/vulnerability/wordpress-yaad-sarig-payment-gateway-for-wc-plugin-2-2-10-broken-access-control-vulnerability. The vulnerability was reported by [email protected] through their security research program. WordPress installations running WooCommerce with this payment gateway plugin in versions 2.2.11 or earlier are susceptible to unauthorized access attacks targeting payment processing functions and customer transaction data.

Remediation

Organizations using Yaad Sarig Payment Gateway For WC should immediately upgrade to version 2.2.12 or later if available, as the vulnerability affects all versions through 2.2.11. Consult the official plugin repository at wordpress.org/plugins/yaad-sarig-payment-gateway-for-wc and the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/yaad-sarig-payment-gateway-for-wc/vulnerability/wordpress-yaad-sarig-payment-gateway-for-wc-plugin-2-2-10-broken-access-control-vulnerability for confirmed patched versions and update instructions. If immediate patching is not feasible, implement compensating controls including restricting administrative access to the WordPress backend via IP allowlisting, deploying web application firewall rules to block unauthorized access to plugin endpoints (particularly AJAX and REST API routes matching /wp-admin/admin-ajax.php or /wp-json/ with yaad-sarig parameters), and enabling comprehensive logging to detect unauthorized payment gateway access attempts. Review recent transaction logs for anomalous activity patterns that may indicate exploitation. Consider temporarily disabling the plugin and switching to alternative payment gateways until vendor-confirmed patches are deployed and tested in production environments.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

CVE-2025-66131 vulnerability details – vuln.today

Back

CVE-2025-66131

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-66131

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code