Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7.
AnalysisAI
Wava Payment plugin for WordPress versions 0.3.7 and earlier allows unauthenticated remote attackers to access sensitive information through missing authorization controls on API endpoints. The vulnerability enables attackers to read confidential data by exploiting improperly configured access control levels without requiring authentication or user interaction. EPSS exploitation probability is minimal at 0.02%, but the ability to leak information without authentication warrants attention for WordPress sites using this payment plugin.
Technical ContextAI
Wava Payment is a WordPress plugin (CPE: cpe:2.3:a:wava.co:wava_payment:*:*:*:*:*:*:*:*) that processes payments through the Wava.co payment service. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly validate user permissions before granting access to sensitive functions or data. The plugin does not verify that the requesting user has explicit authorization to perform actions or retrieve information, relying instead on incorrectly configured or absent access control security levels. This is a classic broken access control flaw affecting WordPress plugin architecture where API endpoints or administrative functions lack proper capability checks.
RemediationAI
Update the Wava Payment plugin to a version newer than 0.3.7 immediately if available from the plugin developer or WordPress plugin repository. If no patched version is currently available, disable or remove the Wava Payment plugin until a security update is released by Wava.co. Additionally, restrict access to payment processing functions and API endpoints using WordPress user role and capability controls, ensuring only authenticated administrators can access sensitive payment data. Monitor the Patchstack advisory and official WordPress plugin repository for security updates from the vendor.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20244
GHSA-m24w-6jfq-fmh3