Skip to main content

Montonio for WooCommerce CVE-2026-48873

| EUVDEUVD-2026-36851 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-7qp8-gvq3-4f48
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable missing-authorization flaw in a WordPress plugin endpoint, no user interaction, integrity-only impact on payment/order state, no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:47 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.

AnalysisAI

Broken access control in the Montonio for WooCommerce WordPress plugin versions 10.1.2 and earlier allows remote unauthenticated attackers to perform integrity-impacting actions without proper authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is trivially reachable over the network against default deployments, with high integrity impact but no direct confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Montonio for WooCommerce is a WordPress plugin that integrates the Montonio payment gateway (a Baltic-region payment service supporting bank-link payments and BNPL) with WooCommerce stores. The root cause is CWE-862 (Missing Authorization), meaning one or more plugin endpoints - likely AJAX handlers, REST routes, or admin-post actions - execute privileged functionality without verifying that the caller has the appropriate capability or nonce. In WordPress plugin code this typically manifests as a registered action callback that omits current_user_can() checks or check_ajax_referer() validation, allowing anonymous HTTP requests to invoke functionality intended for authenticated administrators or the payment-gateway callback flow.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied references; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/montonio-for-woocommerce/vulnerability/wordpress-montonio-for-woocommerce-plugin-10-1-2-broken-access-control-vulnerability) should be consulted directly for any fixed release published after this analysis, and operators should update to any Montonio for WooCommerce version above 10.1.2 as soon as one is released. As compensating controls until a patch is applied, restrict access to the plugin's AJAX and REST endpoints via a WAF rule (Patchstack, Wordfence, or equivalent virtual patching) targeting the plugin's action names - this carries the trade-off of potentially blocking legitimate Montonio gateway callbacks, so allowlist Montonio's payment-processor source IPs. Alternatively, deactivate the plugin and route checkout through an unaffected gateway, accepting the loss of Montonio payment-method availability, or place wp-admin and the WooCommerce REST API behind IP allowlisting if the merchant's operational topology permits.

Share

CVE-2026-48873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy