CVE-2026-3461

| EUVD-2026-22853 CRITICAL
2026-04-15 Wordfence
Authentication Bypass WordPress
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 09:08 vuln.today

DescriptionNVD

The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the express_pay_product_page_pay_for_order() function logging users in based solely on a user-supplied billing email address during guest checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by providing the target user's email address in the billing_details parameter, resulting in complete account takeover and site compromise.

AnalysisAI

Authentication bypass in Visa Acceptance Solutions WordPress plugin (all versions through 2.1.0) allows unauthenticated remote attackers to gain complete account takeover by providing any user's email address during guest checkout. The vulnerability enables login as any existing user, including administrators, without password verification or email ownership validation. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Disable or remove the Visa Acceptance Solutions WordPress plugin from all production environments immediately; audit access logs for suspicious guest checkout activity and confirm no unauthorized account access has occurred. Within 7 days: Contact Visa or the plugin vendor to confirm patch availability and expected release timeline; if patch is released, test in staging environment before deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-3461 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy