Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Andy Ha DEPART depart-deposit-and-part-payment-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DEPART: from n/a through <= 1.0.7.
AnalysisAI
Missing authorization controls in the DEPART WordPress plugin (versions up to 1.0.7) allow authenticated attackers to access sensitive functionality by exploiting incorrectly configured access control security levels. The vulnerability requires valid user credentials but grants low-confidentiality access through broken authorization checks. While EPSS scoring indicates minimal real-world exploitation probability (0.02%, 4th percentile), the flaw represents a critical architectural weakness in permission enforcement that could enable privilege escalation or data disclosure depending on plugin functionality.
Technical ContextAI
The vulnerability resides in the DEPART deposit-and-part-payment-for-woo WordPress plugin, a WooCommerce payment extension developed by Andy Ha. The root cause is classified as CWE-862 (Missing Authorization), indicating the plugin fails to properly verify user permissions before allowing access to protected operations or data. WordPress plugins typically enforce authorization through capability checks (e.g., current_user_can()) in action handlers, AJAX endpoints, and REST API routes. This plugin appears to be missing or incorrectly implementing such checks, allowing authenticated users (even with lower privilege levels like subscribers or customers) to perform actions restricted to higher-privileged roles (administrators or shop managers). The issue affects all versions from initial release through version 1.0.7 of the cpe:2.3:a:andy_ha:depart:*:*:*:*:*:*:*:* product.
RemediationAI
Upgrade the DEPART plugin to a version newer than 1.0.7 if available from the plugin repository or Andy Ha's official distribution channel. No specific patched version number is documented in the provided intelligence; therefore, administrators should verify the latest available release in the WordPress plugin directory or contact the plugin author directly to confirm authorization fixes have been implemented. As a temporary mitigation, restrict plugin administrative access and user roles strictly, and consider disabling the plugin on public-facing sites until an update is confirmed. The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/depart-deposit-and-part-payment-for-woo/vulnerability/wordpress-depart-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve) and NVD detail page (https://nvd.nist.gov/vuln/detail/CVE-2026-39592) should be monitored for vendor-released patch announcements.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20231
GHSA-xcpx-rq24-mppj