Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi – Cuotas que se adaptan a ti: from n/a through <= 2.0.4.
AnalysisAI
A hard-coded credentials vulnerability exists in the Addi buy-now-pay-later WordPress plugin (versions up to 2.0.4) that enables password recovery exploitation and authentication bypass attacks. Attackers can leverage embedded credentials to gain unauthorized access to user accounts and potentially escalate privileges within the plugin's functionality. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has been reported by Patchstack; no CVSS score, EPSS data, or active KEV status is currently available, though the authentication bypass nature suggests active exploitation risk.
Technical ContextAI
The Addi plugin (cpe:2.3:a:addi:addi_–_cuotas_que_se_adaptan_a_ti) is a WordPress plugin providing buy-now-pay-later payment services integrated into WordPress environments. The vulnerability stems from CWE-798, which involves embedding sensitive credentials (passwords, API keys, or authentication tokens) directly within application source code or configuration files rather than externalizing them via secure credential management. In this case, hard-coded credentials enable attackers to bypass the plugin's authentication mechanisms and exploit password recovery functions without proper authorization checks. The affected versions range from initial release through version 2.0.4, indicating the flaw has persisted across multiple updates.
RemediationAI
Update the Addi plugin to a version newer than 2.0.4 as soon as patched releases become available; check the plugin's WordPress.org repository or vendor site for security updates. In the immediate term, disable the plugin entirely if it is not actively required for business operations, or restrict access to the plugin's payment processing endpoints via Web Application Firewall (WAF) rules or network-level access controls. Conduct a security audit of any user accounts or transactions processed through the plugin since deployment to identify potential compromise. Additionally, reset any API credentials or authentication tokens used by the plugin within WordPress or connected payment systems. Monitor for suspicious authentication attempts or account recovery activities in WordPress logs and consider implementing additional two-factor authentication for user accounts using the payment service.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15776