Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network endpoint with no authorization check (PR:N, AV:N, AC:L, UI:N); impact is state tampering only, so I:H with C:N and A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions.
AnalysisAI
Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The only prerequisite is a WordPress site running the NOWPayments for WooCommerce plugin at version 1.4.0 or earlier with the affected endpoint reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, base 7.5 HIGH) describes a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, with high integrity impact but no confidentiality or availability loss - consistent with tampering (e.g., manipulating order/payment state) rather than data theft or service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows a store runs NOWPayments for WooCommerce <= 1.4.0 sends a crafted HTTP request directly to the plugin's unauthenticated endpoint over the network, with no login and no user interaction required. Because the endpoint lacks an authorization check, the request is processed as if authorized, letting the attacker alter payment or order state (for example, causing an order to be treated as paid). … |
| Remediation | Upgrade the NOWPayments for WooCommerce plugin to a version later than 1.4.0 once the vendor publishes a fixed release; the input identifies the last vulnerable version as 1.4.0 but does not state an exact patched version, so no vendor-released patch version is independently confirmed at time of analysis - verify the fixed release via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/nowpayments-for-woocommerce/vulnerability/wordpress-nowpayments-for-woocommerce-plugin-1-4-0-broken-access-control-vulnerability) or the WordPress.org plugin changelog. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running NOWPayments versions 1.4.0 or earlier; disable the plugin immediately; audit all orders created or modified since plugin deployment for unauthorized changes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41339
GHSA-84q6-57x9-mmj9