Skip to main content

Paytium CVE-2026-56030

| EUVDEUVD-2026-39693 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-26 audit@patchstack.com GHSA-h9xr-fprq-hcr8
9.8
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Privilege escalation reachable by unauthenticated network requests with low complexity (AV:N/AC:L/PR:N/UI:N); gaining elevated WordPress rights yields high confidentiality, integrity, and availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:41 vuln.today

DescriptionCVE.org

Unauthenticated Privilege Escalation in Paytium <= 5.0.2 versions.

AnalysisAI

Unauthenticated privilege escalation in the Paytium WordPress plugin (Mollie payment forms and donations) through version 5.0.2 allows remote attackers with no authentication to gain elevated privileges, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. The flaw stems from incorrect privilege assignment (CWE-266), meaning a low- or no-privilege actor can be granted rights they should not have. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Paytium ≤5.0.2
Delivery
Send unauthenticated request to vulnerable endpoint
Exploit
Trigger incorrect privilege assignment
Execution
Obtain elevated/admin privileges
Impact
Take over site or alter payment data

Vulnerability AssessmentAI

Exploitation The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no special conditions are required beyond network reachability - remote unauthenticated exploitation against affected installations of the Paytium WordPress plugin (versions <= 5.0.2). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are partially mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An anonymous remote attacker sends a crafted HTTP request to the vulnerable Paytium endpoint on a WordPress site, abusing the flawed privilege-assignment logic to grant themselves or a newly created account elevated rights without authenticating. With elevated privileges they can manipulate site data, payment configuration, or pivot toward full site takeover. …
Remediation No vendor-released patch version is identified in the available data, so confirm the current fixed release directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/paytium/vulnerability/wordpress-paytium-plugin-5-0-2-privilege-escalation-vulnerability?_s_id=cve) and the plugin's WordPress.org page, then upgrade to the first release above 5.0.2 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress installations running Paytium plugin; audit active version numbers; assess scope of customer payment data stored or processed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy