Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects MyCryptoCheckout: from n/a through 2.161.
AnalysisAI
Information disclosure in the MyCryptoCheckout WordPress plugin (versions up to and including 2.161) allows remote unauthenticated attackers to access protected data due to a missing authorization check. The flaw stems from incorrectly configured access control security levels, enabling exploitation over the network without privileges or user interaction. No public exploit identified at time of analysis, and EPSS scoring (0.03%, 9th percentile) suggests low near-term exploitation likelihood.
Technical ContextAI
MyCryptoCheckout is a WordPress plugin (CPE: cpe:2.3:a:edward_plainview:mycryptocheckout) that enables site owners to accept cryptocurrency payments. The vulnerability falls under CWE-862 (Missing Authorization), meaning one or more plugin endpoints or actions fail to verify whether the requesting user has the necessary permissions before executing privileged functionality or returning sensitive data. In WordPress plugins, this class of bug typically manifests as REST API routes, AJAX handlers (wp-ajax actions), or admin-post hooks that lack proper capability checks (current_user_can) or nonce validation, allowing unauthenticated visitors to invoke functions intended for administrators or authenticated users.
RemediationAI
Upgrade MyCryptoCheckout to a version newer than 2.161 as soon as the developer publishes a fixed release; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mycryptocheckout/vulnerability/wordpress-mycryptocheckout-plugin-2-161-broken-access-control-vulnerability) and the WordPress plugin repository for the patched build. No vendor-released patched version is independently confirmed in the provided data, so administrators should monitor the plugin changelog and Patchstack for the fixing version. Until a patch is applied, compensating controls include deactivating the MyCryptoCheckout plugin if cryptocurrency checkout is non-essential (eliminates checkout functionality entirely), placing a WAF rule or Patchstack mitigation in front of the site to block requests to MyCryptoCheckout-specific endpoints (may break legitimate transactions if rules are overly broad), or restricting access to wp-admin/admin-ajax.php and the plugin's REST routes via IP allowlisting at the web server layer (will block legitimate buyers if applied indiscriminately).
More in Mycryptocheckout
View allThe MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leadi
Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview MyCryptoCheckout plugin <= 2.125 versions. Rated hig
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31770
GHSA-9p39-xj39-27fr