Skip to main content

MyCryptoCheckout CVE-2026-45209

| EUVDEUVD-2026-31770 HIGH
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-9p39-xj39-27fr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 09:18 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects MyCryptoCheckout: from n/a through 2.161.

AnalysisAI

Information disclosure in the MyCryptoCheckout WordPress plugin (versions up to and including 2.161) allows remote unauthenticated attackers to access protected data due to a missing authorization check. The flaw stems from incorrectly configured access control security levels, enabling exploitation over the network without privileges or user interaction. No public exploit identified at time of analysis, and EPSS scoring (0.03%, 9th percentile) suggests low near-term exploitation likelihood.

Technical ContextAI

MyCryptoCheckout is a WordPress plugin (CPE: cpe:2.3:a:edward_plainview:mycryptocheckout) that enables site owners to accept cryptocurrency payments. The vulnerability falls under CWE-862 (Missing Authorization), meaning one or more plugin endpoints or actions fail to verify whether the requesting user has the necessary permissions before executing privileged functionality or returning sensitive data. In WordPress plugins, this class of bug typically manifests as REST API routes, AJAX handlers (wp-ajax actions), or admin-post hooks that lack proper capability checks (current_user_can) or nonce validation, allowing unauthenticated visitors to invoke functions intended for administrators or authenticated users.

RemediationAI

Upgrade MyCryptoCheckout to a version newer than 2.161 as soon as the developer publishes a fixed release; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mycryptocheckout/vulnerability/wordpress-mycryptocheckout-plugin-2-161-broken-access-control-vulnerability) and the WordPress plugin repository for the patched build. No vendor-released patched version is independently confirmed in the provided data, so administrators should monitor the plugin changelog and Patchstack for the fixing version. Until a patch is applied, compensating controls include deactivating the MyCryptoCheckout plugin if cryptocurrency checkout is non-essential (eliminates checkout functionality entirely), placing a WAF rule or Patchstack mitigation in front of the site to block requests to MyCryptoCheckout-specific endpoints (may break legitimate transactions if rules are overly broad), or restricting access to wp-admin/admin-ajax.php and the plugin's REST routes via IP allowlisting at the web server layer (will block legitimate buyers if applied indiscriminately).

Share

CVE-2026-45209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy