Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Plugin endpoint is network-accessible with no auth check (PR:N); scope unchanged, impact capped at Low integrity and availability with no confidentiality loss.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 4.0.2.
AnalysisAI
Broken access control in the Peach Payments Gateway WordPress plugin (all versions through 4.0.2) permits remote unauthenticated attackers to invoke plugin functionality without valid authorization, bypassing intended access control security levels. Rooted in CWE-862 (Missing Authorization) and reported by Patchstack, the flaw enables limited integrity and availability impact against WooCommerce-powered sites using this plugin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default WordPress installations running Peach Payments Gateway in any version through 4.0.2 with WooCommerce active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) reflects a remotely exploitable, low-complexity, unauthenticated flaw - signals that individually suggest high real-world exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker enumerates WordPress sites running WooCommerce with the Peach Payments Gateway plugin installed - detectable via plugin file paths or checkout page artifacts - then sends a crafted HTTP request directly to the vulnerable plugin endpoint, bypassing the absent authorization check. The attacker successfully invokes a restricted plugin action, potentially modifying payment gateway settings or disrupting transaction processing with low integrity or availability impact. … |
| Remediation | Update the Peach Payments Gateway plugin to the version identified as patched in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wc-peach-payments-gateway/vulnerability/wordpress-peach-payments-gateway-plugin-4-0-2-broken-access-control-vulnerability - no exact fix version number is confirmed in the available data and one should not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43480