Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network-reachable missing-authorization flaw in a WordPress plugin endpoint; integrity-only impact on payment state, no disclosed confidentiality or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions.
AnalysisAI
Broken access control in the Redsys for WooCommerce Light WordPress plugin (versions up to and including 7.0.0) allows remote unauthenticated attackers to invoke privileged functionality without proper authorization checks, leading to integrity impact on payment gateway operations. The flaw stems from missing authorization (CWE-862) on plugin endpoints, and at time of analysis no public exploit was identified, though the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) makes it trivially reachable. The vulnerability was reported by Patchstack and tracked as EUVD-2026-36973.
Technical ContextAI
Redsys for WooCommerce Light (slug woo-redsys-gateway-light, authored by Jose Conti per the CPE jose_conti:redsys_for_woocommerce_light) is a WordPress payment gateway plugin that integrates the Spanish Redsys card-payment platform into WooCommerce checkouts. CWE-862 (Missing Authorization) means an action handler - typically a WordPress AJAX endpoint, REST route, or admin-post hook - fails to verify the caller's capability or nonce before executing privileged logic. In payment-gateway plugins this class of bug commonly exposes order-state or transaction-handling functions (for example, marking an order as paid, retrieving transaction data, or altering gateway configuration) to anonymous HTTP callers.
RemediationAI
No vendor-released patch version is independently confirmed in the available data - the Patchstack advisory identifies 7.0.0 as the last vulnerable release but does not cite a specific fixed version in the input, so administrators should consult the Patchstack record at https://patchstack.com/database/wordpress/plugin/woo-redsys-gateway-light/vulnerability/wordpress-redsys-for-woocommerce-light-plugin-7-0-0-broken-access-control-vulnerability and the plugin's WordPress.org listing for an upgrade above 7.0.0 and apply it immediately. Until a confirmed patched release is installed, compensating controls include deactivating the woo-redsys-gateway-light plugin (this disables Redsys card payments on the store and will break checkout for that gateway), restricting access to wp-admin/admin-ajax.php and the plugin's REST routes via a Web Application Firewall rule that blocks unauthenticated requests to known plugin action names (risk: legitimate gateway callbacks from Redsys may also be filtered if rules are too broad, so allowlist the Redsys notification IP ranges), or temporarily switching WooCommerce to an alternative payment gateway. Patchstack mDVPN/vPatch subscribers receive a virtual patch via their firewall integration as a stopgap.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36973
GHSA-785h-w333-7p44