Skip to main content

rzp-woocommerce CVE-2026-57424

| EUVDEUVD-2026-43351 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-accessible, unauthenticated missing authorization with no confidentiality loss; limited integrity and availability impact on payment link data only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:22 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in knitpay Razorpay Payment Links for WooCommerce rzp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay Payment Links for WooCommerce: from n/a through <= 2.1.4.

AnalysisAI

Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WooCommerce store with rzp-woocommerce active
Delivery
Send unauthenticated POST to wp-admin/admin-ajax.php with plugin action
Exploit
Bypass missing authorization check
Execution
Manipulate or disrupt Razorpay payment link records
Impact
Cause order integrity or availability impact

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the Razorpay Payment Links for WooCommerce plugin (rzp-woocommerce) installed and active in version 2.1.4 or earlier, and that the site is running WooCommerce. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L indicates a straightforward, remotely exploitable flaw requiring no authentication and no user interaction, but with limited impact (no confidentiality loss, only low integrity and availability impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request to the WooCommerce store's wp-admin/admin-ajax.php endpoint (or a registered REST route), targeting the vulnerable plugin action with no cookies or nonce validation required. Because the plugin callback does not invoke a capability check, the request is processed and the attacker can alter or cancel Razorpay payment links, potentially disrupting active customer payment sessions or invalidating orders. …
Remediation Check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rzp-woocommerce/vulnerability/wordpress-razorpay-payment-links-for-woocommerce-plugin-2-1-4-broken-access-control-vulnerability for a patched release above version 2.1.4; upgrade immediately if one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy