Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2.
AnalysisAI
Missing authorization in Unitech Web UnitechPay WordPress plugin through version 1.0.2 permits unauthenticated remote attackers to read sensitive information via incorrectly configured access controls, exposing data confidentiality without enabling modification or service disruption. The vulnerability carries a CVSS score of 5.3 with near-zero measured exploitation probability (EPSS 0.02%), indicating low real-world risk despite network-accessible attack surface.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization) in the UnitechPay WordPress plugin, a mobile money payment processing component. The root cause is improperly enforced access control on API or functional endpoints, allowing requests without proper privilege checks. The affected product (cpe:2.3:a:unitech_web:unitechpay:*:*:*:*:*:*:*:*) represents a WordPress plugin architecture where authorization decisions are likely made at the application logic layer rather than through WordPress role and capability hooks, permitting information disclosure through direct endpoint access.
RemediationAI
Upgrade the UnitechPay plugin to a patched version beyond 1.0.2 immediately. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/unitechpay-paiements-mobile-money/vulnerability/wordpress-unitechpay-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve) and NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39650) for patch availability and timeline. As an interim workaround if immediate patching is infeasible, restrict API endpoint access via Web Application Firewall (WAF) rules or WordPress security plugins to authenticated users only, and review access logs for unauthorized data queries.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20316
GHSA-jjmh-m34w-m8ph