CVE-2026-1833
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Tags
Description
The WaMate Confirm - Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators.
Analysis
The WaMate Confirm Order Confirmation WordPress plugin through version 2.0.1 fails to enforce proper authorization checks, allowing authenticated subscribers and higher-privileged users to manipulate phone number blocking settings that should be restricted to administrators. This improper access control vulnerability enables low-privileged attackers to disrupt phone number management functionality without administrative consent.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to unauthorized access in all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today