Skip to main content

WP Full Stripe Free CVE-2026-42378

| EUVDEUVD-2026-36810 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-hmqv-f2v5-fjff
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible WordPress endpoint requires only a subscriber account (PR:L); purely read-only data exposure yields C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:04 vuln.today

DescriptionCVE.org

Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions.

AnalysisAI

Broken authentication in WP Full Stripe Free (WordPress plugin by Themeisle) versions 8.4.1 and earlier permits subscriber-level authenticated users to bypass authorization controls and access restricted functionality, resulting in high-confidence information disclosure. The vulnerability (CWE-288) targets the Stripe payment integration plugin's internal access control logic, allowing a low-privileged WordPress user to reach endpoints or data intended only for higher-privileged roles. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

WP Full Stripe Free (CPE: cpe:2.3:a:themeisle:wp_full_stripe_free:*:*:*:*:*:*:*:*) is a WordPress plugin by Themeisle that integrates Stripe payment processing into WordPress sites. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) describes a class of flaws where an application implements a primary authentication gate but leaves an alternative code path - typically a REST API endpoint, AJAX action handler, or internal function - accessible without proper capability checks. In WordPress plugin architecture, this often manifests when plugin-registered endpoints validate nonces but omit role or capability verification, allowing any authenticated WordPress user (including subscribers, the lowest default role) to invoke privileged operations. Given the 'Information Disclosure' tag and C:H/I:N/A:N CVSS impact profile, the likely scenario is that sensitive Stripe-related data (e.g., subscription details, payment records, customer identifiers) is exposed through such an inadequately guarded endpoint.

RemediationAI

No confirmed patched version was identified in the available intelligence data; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-full-stripe-free/vulnerability/wordpress-wp-full-stripe-free-plugin-8-4-1-broken-authentication-vulnerability should be consulted for the current patch status and exact fix version as the vendor may have released an update subsequent to this analysis. As an immediate compensating control, administrators should disable the WP Full Stripe Free plugin on publicly accessible sites until a patched release is confirmed - this fully eliminates the attack surface at the cost of disabling Stripe payment functionality. If disabling is not operationally feasible, restrict WordPress user registration to prevent unauthenticated visitors from obtaining the subscriber credentials needed to exploit this flaw (Settings > General > uncheck 'Anyone can register'); note this does not protect against attacks by existing subscriber accounts. Additionally, audit existing subscriber-role accounts for any unauthorized or suspicious registrations. Monitor Patchstack and the WordPress plugin repository for an updated release.

Share

CVE-2026-42378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy