Skip to main content

Ipospays Gateways Wc EUVDEUVD-2026-20242

| CVE-2026-39608 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-g84h-496p-cffh
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20242
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7.

AnalysisAI

Missing authorization in iPOSpays Gateways WC WordPress plugin versions up to 1.3.7 allows unauthenticated remote attackers to modify sensitive data due to incorrectly configured access control, resulting in integrity compromise without authentication or user interaction. Exploitation requires only network access and is low-complexity, though current real-world exploitation likelihood remains minimal (EPSS 0.02%).

Technical ContextAI

The iPOSpays Gateways WC plugin is a WordPress payment gateway integration component that handles transaction processing and merchant configuration. The vulnerability stems from CWE-862 (Missing Authorization), a class 4 weakness where the application fails to enforce proper permission checks before allowing sensitive operations. The affected plugin versions prior to and including 1.3.7 contain access control security levels that are either absent or misconfigured, permitting unauthorized manipulation of payment gateway settings or transaction data without proper privilege validation.

RemediationAI

Update iPOSpays Gateways WC to a patched version above 1.3.7 immediately. Administrators should review the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/ipospays-gateways-wc/vulnerability/wordpress-ipospays-gateways-wc-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve for specific patch availability and release notes. As an interim measure before patch deployment, restrict WordPress user role permissions for payment gateway configuration to administrator accounts only and audit access logs for unauthorized modification attempts to payment settings.

Share

EUVD-2026-20242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy