Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Privilege escalation reachable by unauthenticated network requests with low complexity (AV:N/AC:L/PR:N/UI:N); gaining elevated WordPress rights yields high confidentiality, integrity, and availability impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Privilege Escalation in Paytium <= 5.0.2 versions.
AnalysisAI
Unauthenticated privilege escalation in the Paytium WordPress plugin (Mollie payment forms and donations) through version 5.0.2 allows remote attackers with no authentication to gain elevated privileges, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. The flaw stems from incorrect privilege assignment (CWE-266), meaning a low- or no-privilege actor can be granted rights they should not have. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no special conditions are required beyond network reachability - remote unauthenticated exploitation against affected installations of the Paytium WordPress plugin (versions <= 5.0.2). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are partially mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An anonymous remote attacker sends a crafted HTTP request to the vulnerable Paytium endpoint on a WordPress site, abusing the flawed privilege-assignment logic to grant themselves or a newly created account elevated rights without authenticating. With elevated privileges they can manipulate site data, payment configuration, or pivot toward full site takeover. … |
| Remediation | No vendor-released patch version is identified in the available data, so confirm the current fixed release directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/paytium/vulnerability/wordpress-paytium-plugin-5-0-2-privilege-escalation-vulnerability?_s_id=cve) and the plugin's WordPress.org page, then upgrade to the first release above 5.0.2 once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress installations running Paytium plugin; audit active version numbers; assess scope of customer payment data stored or processed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39693
GHSA-h9xr-fprq-hcr8