Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network-reachable missing-authorization flaw in a WordPress plugin endpoint, no user interaction, integrity-only impact on payment/order state, no confidentiality or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.
AnalysisAI
Broken access control in the Montonio for WooCommerce WordPress plugin versions 10.1.2 and earlier allows remote unauthenticated attackers to perform integrity-impacting actions without proper authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is trivially reachable over the network against default deployments, with high integrity impact but no direct confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Montonio for WooCommerce is a WordPress plugin that integrates the Montonio payment gateway (a Baltic-region payment service supporting bank-link payments and BNPL) with WooCommerce stores. The root cause is CWE-862 (Missing Authorization), meaning one or more plugin endpoints - likely AJAX handlers, REST routes, or admin-post actions - execute privileged functionality without verifying that the caller has the appropriate capability or nonce. In WordPress plugin code this typically manifests as a registered action callback that omits current_user_can() checks or check_ajax_referer() validation, allowing anonymous HTTP requests to invoke functionality intended for authenticated administrators or the payment-gateway callback flow.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied references; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/montonio-for-woocommerce/vulnerability/wordpress-montonio-for-woocommerce-plugin-10-1-2-broken-access-control-vulnerability) should be consulted directly for any fixed release published after this analysis, and operators should update to any Montonio for WooCommerce version above 10.1.2 as soon as one is released. As compensating controls until a patch is applied, restrict access to the plugin's AJAX and REST endpoints via a WAF rule (Patchstack, Wordfence, or equivalent virtual patching) targeting the plugin's action names - this carries the trade-off of potentially blocking legitimate Montonio gateway callbacks, so allowlist Montonio's payment-processor source IPs. Alternatively, deactivate the plugin and route checkout through an unaffected gateway, accepting the loss of Montonio payment-method availability, or place wp-admin and the WooCommerce REST API behind IP allowlisting if the merchant's operational topology permits.
More in Montonio For Woocommerce
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36851
GHSA-7qp8-gvq3-4f48