Skip to main content

SePay Gateway CVE-2026-42763

| EUVDEUVD-2026-31754 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-mvxg-x6w9-jq73
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:50 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in SePay team SePay Gateway allows Retrieve Embedded Sensitive Data.

This issue affects SePay Gateway: from n/a through 1.1.20.

AnalysisAI

Missing Authorization in the SePay Gateway WordPress plugin (versions through 1.1.20) permits any authenticated low-privileged user to retrieve embedded sensitive data without proper access checks. The flaw is classified under CWE-862 and carries a CVSS confidentiality impact of High, meaning payment or configuration secrets stored within the plugin can be exposed to unauthorized parties. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable risk, indicating limited active threat at present.

Technical ContextAI

SePay Gateway is a WordPress payment plugin developed by the SePay team, identified by CPE cpe:2.3:a:sepay_team:sepay_gateway:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization): the plugin exposes one or more internal endpoints or data retrieval routines without enforcing WordPress capability checks or nonce verification, allowing any authenticated session to invoke them. This class of vulnerability is common in WordPress plugins where developers register REST API routes, AJAX handlers, or admin-accessible pages without verifying that the calling user holds the required role or capability. The 'Retrieve Embedded Sensitive Data' impact suggests payment credentials, API keys, or gateway configuration secrets are accessible through the unguarded code path.

RemediationAI

The primary remediation is to update the SePay Gateway plugin to a version released after 1.1.20; no exact fix version is confirmed in the available input data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sepay-gateway/vulnerability/wordpress-sepay-gateway-plugin-1-1-20-sensitive-data-exposure-vulnerability and the WordPress plugin repository for the latest patched release. If an update is not immediately available, a compensating control is to restrict WordPress site access so that only trusted, explicitly authorized accounts can log in, thereby reducing the pool of potential low-privilege attackers. Additionally, site administrators should audit current subscriber and contributor-level accounts and disable any that are unnecessary. As a further control, a Web Application Firewall capable of WordPress-aware rule enforcement (e.g., Wordfence or Patchstack's virtual patch) can block unauthorized access to the affected plugin endpoints without requiring a plugin update, though this introduces dependency on WAF rule accuracy and may affect plugin functionality.

Share

CVE-2026-42763 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy