Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible WordPress endpoint requires only a subscriber account (PR:L); purely read-only data exposure yields C:H with no integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions.
AnalysisAI
Broken authentication in WP Full Stripe Free (WordPress plugin by Themeisle) versions 8.4.1 and earlier permits subscriber-level authenticated users to bypass authorization controls and access restricted functionality, resulting in high-confidence information disclosure. The vulnerability (CWE-288) targets the Stripe payment integration plugin's internal access control logic, allowing a low-privileged WordPress user to reach endpoints or data intended only for higher-privileged roles. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
WP Full Stripe Free (CPE: cpe:2.3:a:themeisle:wp_full_stripe_free:*:*:*:*:*:*:*:*) is a WordPress plugin by Themeisle that integrates Stripe payment processing into WordPress sites. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) describes a class of flaws where an application implements a primary authentication gate but leaves an alternative code path - typically a REST API endpoint, AJAX action handler, or internal function - accessible without proper capability checks. In WordPress plugin architecture, this often manifests when plugin-registered endpoints validate nonces but omit role or capability verification, allowing any authenticated WordPress user (including subscribers, the lowest default role) to invoke privileged operations. Given the 'Information Disclosure' tag and C:H/I:N/A:N CVSS impact profile, the likely scenario is that sensitive Stripe-related data (e.g., subscription details, payment records, customer identifiers) is exposed through such an inadequately guarded endpoint.
RemediationAI
No confirmed patched version was identified in the available intelligence data; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-full-stripe-free/vulnerability/wordpress-wp-full-stripe-free-plugin-8-4-1-broken-authentication-vulnerability should be consulted for the current patch status and exact fix version as the vendor may have released an update subsequent to this analysis. As an immediate compensating control, administrators should disable the WP Full Stripe Free plugin on publicly accessible sites until a patched release is confirmed - this fully eliminates the attack surface at the cost of disabling Stripe payment functionality. If disabling is not operationally feasible, restrict WordPress user registration to prevent unauthenticated visitors from obtaining the subscriber credentials needed to exploit this flaw (Settings > General > uncheck 'Anyone can register'); note this does not protect against attacks by existing subscriber accounts. Additionally, audit existing subscriber-role accounts for any unauthorized or suspicious registrations. Monitor Patchstack and the WordPress plugin repository for an updated release.
More in Wp Full Stripe Free
View allCross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.0.16. Rated high severity (CVSS 8.8)
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36810
GHSA-hmqv-f2v5-fjff