Skip to main content

Stripe Payments CVE-2026-42752

| EUVDEUVD-2026-36838 MEDIUM
Expected Behavior Violation (CWE-440)
2026-06-15 Patchstack GHSA-q946-p8hr-8q7p
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible WordPress plugin, no authentication required per description, limited data access and modification only, no availability or scope impact confirmed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:57 vuln.today

DescriptionCVE.org

Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.

AnalysisAI

Unauthenticated bypass in the Stripe Payments WordPress plugin (versions up to and including 2.0.98) allows remote, unauthenticated attackers to circumvent authentication controls, resulting in limited confidentiality and integrity impact against affected WordPress installations. Reported by Patchstack (ENISA EUVD-2026-36838), the flaw is classified under CWE-440 (Expected Behavior Violation), indicating the plugin's actual enforcement diverges from its intended or documented security model. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Stripe Payments ≤2.0.98
Exploit
Send unauthenticated HTTP request to protected plugin endpoint
Execution
Bypass CWE-440 authentication check
Impact
Access or modify payment-related plugin data

Vulnerability AssessmentAI

Exploitation No special pre-authentication conditions are required - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation against any WordPress installation running Stripe Payments plugin version 2.0.98 or earlier that is network-accessible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) reflects an unauthenticated, network-accessible attack requiring no user interaction (AV:N/AC:L/PR:N/UI:N), but with constrained impact limited to low confidentiality and low integrity (C:L/I:L/A:N), and no scope change (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a publicly accessible WordPress site running Stripe Payments 2.0.98 or earlier and sends a crafted HTTP request directly to a plugin endpoint that should require authentication, bypassing the intended access control. The attacker can then access payment-related data or alter plugin state with low confidentiality and integrity impact. …
Remediation Update the Stripe Payments WordPress plugin to a version above 2.0.98 if a patched release has been issued by the vendor - consult the official WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/stripe-payments/vulnerability/wordpress-stripe-payments-plugin-2-0-98-bypass-vulnerability-vulnerability for the confirmed fix version, as an exact patched version number was not independently confirmed in the available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy