Skip to main content

WP Easy Pay CVE-2026-12738

| EUVDEUVD-2026-43151 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-h64r-hhm8-6c7c
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable action handler, trivial exploitation at subscriber level, integrity-only impact limited to post status change; no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:59 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
MEDIUM 4.3

DescriptionCVE.org

The WP Easy Pay - Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to 'draft', effectively unpublishing arbitrary site content.

AnalysisAI

Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register or obtain subscriber account
Delivery
Authenticate to WordPress
Exploit
Identify target post or page ID
Install
Send crafted request to unprotected plugin action handler
C2
Authorization check bypassed (missing capability verification)
Execute
Arbitrary post/page set to draft status
Impact
Site content unpublished

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session at subscriber level or above - the lowest role assigned to any registered user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 4.3 (Medium) score reflects the real-world impact accurately: network-accessible (AV:N), low complexity (AC:L), requires only subscriber-level authentication (PR:L), no user interaction (UI:N), limited to integrity impact (I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site with open registration and WP Easy Pay ≤4.5.0 active. They authenticate and send a crafted HTTP request to the plugin's action endpoint - targeting the unprotected handler in wpep-setup.php - specifying the ID of a published post or page and a status of 'draft'. …
Remediation Update the WP Easy Pay plugin to the version released after 4.5.0 that incorporates SVN changeset 3593500; verify the specific patched version via the WordPress plugin repository or the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/2121d9fa-bab4-489d-89bc-07a8660bc3d1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12738 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy