Skip to main content

Peach Payments Gateway CVE-2026-57408

| EUVDEUVD-2026-43480 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Plugin endpoint is network-accessible with no auth check (PR:N); scope unchanged, impact capped at Low integrity and availability with no confidentiality loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:25 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 4.0.2.

AnalysisAI

Broken access control in the Peach Payments Gateway WordPress plugin (all versions through 4.0.2) permits remote unauthenticated attackers to invoke plugin functionality without valid authorization, bypassing intended access control security levels. Rooted in CWE-862 (Missing Authorization) and reported by Patchstack, the flaw enables limited integrity and availability impact against WooCommerce-powered sites using this plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WooCommerce site with Peach Payments plugin
Delivery
Send unauthenticated HTTP request to vulnerable endpoint
Exploit
Bypass missing authorization check
Execution
Invoke restricted plugin functionality
Impact
Cause low-impact integrity or availability disruption

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default WordPress installations running Peach Payments Gateway in any version through 4.0.2 with WooCommerce active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) reflects a remotely exploitable, low-complexity, unauthenticated flaw - signals that individually suggest high real-world exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker enumerates WordPress sites running WooCommerce with the Peach Payments Gateway plugin installed - detectable via plugin file paths or checkout page artifacts - then sends a crafted HTTP request directly to the vulnerable plugin endpoint, bypassing the absent authorization check. The attacker successfully invokes a restricted plugin action, potentially modifying payment gateway settings or disrupting transaction processing with low integrity or availability impact. …
Remediation Update the Peach Payments Gateway plugin to the version identified as patched in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wc-peach-payments-gateway/vulnerability/wordpress-peach-payments-gateway-plugin-4-0-2-broken-access-control-vulnerability - no exact fix version number is confirmed in the available data and one should not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy