Skip to main content

Wava Payment CVE-2026-39609

| EUVDEUVD-2026-20244 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-m24w-6jfq-fmh3
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20244
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7.

AnalysisAI

Wava Payment plugin for WordPress versions 0.3.7 and earlier allows unauthenticated remote attackers to access sensitive information through missing authorization controls on API endpoints. The vulnerability enables attackers to read confidential data by exploiting improperly configured access control levels without requiring authentication or user interaction. EPSS exploitation probability is minimal at 0.02%, but the ability to leak information without authentication warrants attention for WordPress sites using this payment plugin.

Technical ContextAI

Wava Payment is a WordPress plugin (CPE: cpe:2.3:a:wava.co:wava_payment:*:*:*:*:*:*:*:*) that processes payments through the Wava.co payment service. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly validate user permissions before granting access to sensitive functions or data. The plugin does not verify that the requesting user has explicit authorization to perform actions or retrieve information, relying instead on incorrectly configured or absent access control security levels. This is a classic broken access control flaw affecting WordPress plugin architecture where API endpoints or administrative functions lack proper capability checks.

RemediationAI

Update the Wava Payment plugin to a version newer than 0.3.7 immediately if available from the plugin developer or WordPress plugin repository. If no patched version is currently available, disable or remove the Wava Payment plugin until a security update is released by Wava.co. Additionally, restrict access to payment processing functions and API endpoints using WordPress user role and capability controls, ensuring only authenticated administrators can access sensitive payment data. Monitor the Patchstack advisory and official WordPress plugin repository for security updates from the vendor.

Share

CVE-2026-39609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy