Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable unauthenticated flaw with AC:H for required parameter manipulation knowledge; I:H for payment bypass; C and A remain N as only financial integrity is impacted.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions.
AnalysisAI
Payment bypass in Best Payments Plugin for WP (versions ≤ 4.6.19) allows unauthenticated remote attackers to circumvent payment verification by manipulating HTTP parameters the plugin incorrectly treats as immutable, enabling completion of purchases without actual payment. Rooted in CWE-472 (External Control of Assumed-Immutable Web Parameter), the flaw directly threatens the financial integrity of any WordPress e-commerce site relying on this plugin for order processing. No public exploit is identified and CVSS AC:H indicates exploitation requires deliberate parameter manipulation during an active payment flow, limiting mass-exploitation risk despite the unauthenticated attack vector.
Technical ContextAI
CWE-472 (External Control of Assumed-Immutable Web Parameter) describes a class of flaw where an application transmits state data to the client - such as hidden form fields, cookies, or query parameters encoding payment status, order amount, or verification tokens - and later trusts that data as authoritative when it is returned without cryptographic validation or server-side re-verification. The Best Payments Plugin for WP by wpmanageninja (CPE: cpe:2.3:a:wpmanageninja:best_payments_plugin_for_wp:*:*:*:*:*:*:*:*) processes payments in WordPress environments and, based on the CWE and CVSS vector, appears to pass payment-state parameters client-side without signing or binding them to a server-authoritative record. When these parameters are submitted back by the client, the plugin accepts them at face value, treating a client-supplied 'payment successful' signal as legitimate. The CVSS AC:H metric confirms that successful exploitation requires understanding the plugin's specific parameter structure and the sequence of the payment flow, distinguishing this from a trivially automatable flaw.
RemediationAI
No vendor-released patch version is independently confirmed from available data; administrators should immediately consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-payment-form/vulnerability/wordpress-best-payments-plugin-for-wp-plugin-4-6-19-payment-bypass-vulnerability?_s_id=cve for the latest fix status and upgrade instructions. If a patched version has been released in the WordPress plugin repository, updating to it is the primary remediation. As a compensating control where patching is not immediately possible, temporarily deactivating the plugin eliminates exposure entirely but halts payment processing. Restricting checkout page access to authenticated users only, if the plugin supports such configuration, raises the exploitation bar from PR:N to at least PR:L. Deploying a WAF rule to flag or block anomalous parameter values in payment-related POST requests (e.g., unexpected payment status values not originating from the payment gateway callback endpoint) provides partial mitigation with minimal trade-offs. Server-side re-validation of all payment-state data against authoritative payment gateway records - rather than client-submitted fields - should be treated as a permanent architectural requirement for any replacement or updated plugin version.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36820
GHSA-g7qv-r436-2gvc