Skip to main content

Addi 8211 Cuotas Que Se Adaptan A Ti EUVDEUVD-2026-15776

| CVE-2026-27073 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-03-25 Patchstack
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15776
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4.

AnalysisAI

A hard-coded credentials vulnerability exists in the Addi buy-now-pay-later WordPress plugin (versions up to 2.0.4) that enables password recovery exploitation and authentication bypass attacks. Attackers can leverage embedded credentials to gain unauthorized access to user accounts and potentially escalate privileges within the plugin's functionality. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has been reported by Patchstack; no CVSS score, EPSS data, or active KEV status is currently available, though the authentication bypass nature suggests active exploitation risk.

Technical ContextAI

The Addi plugin (cpe:2.3:a:addi:addi_–_cuotas_que_se_adaptan_a_ti) is a WordPress plugin providing buy-now-pay-later payment services integrated into WordPress environments. The vulnerability stems from CWE-798, which involves embedding sensitive credentials (passwords, API keys, or authentication tokens) directly within application source code or configuration files rather than externalizing them via secure credential management. In this case, hard-coded credentials enable attackers to bypass the plugin's authentication mechanisms and exploit password recovery functions without proper authorization checks. The affected versions range from initial release through version 2.0.4, indicating the flaw has persisted across multiple updates.

RemediationAI

Update the Addi plugin to a version newer than 2.0.4 as soon as patched releases become available; check the plugin's WordPress.org repository or vendor site for security updates. In the immediate term, disable the plugin entirely if it is not actively required for business operations, or restrict access to the plugin's payment processing endpoints via Web Application Firewall (WAF) rules or network-level access controls. Conduct a security audit of any user accounts or transactions processed through the plugin since deployment to identify potential compromise. Additionally, reset any API credentials or authentication tokens used by the plugin within WordPress or connected payment systems. Monitor for suspicious authentication attempts or account recovery activities in WordPress logs and consider implementing additional two-factor authentication for user accounts using the payment service.

Share

EUVD-2026-15776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy