Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7.
AnalysisAI
Missing authorization in iPOSpays Gateways WC WordPress plugin versions up to 1.3.7 allows unauthenticated remote attackers to modify sensitive data due to incorrectly configured access control, resulting in integrity compromise without authentication or user interaction. Exploitation requires only network access and is low-complexity, though current real-world exploitation likelihood remains minimal (EPSS 0.02%).
Technical ContextAI
The iPOSpays Gateways WC plugin is a WordPress payment gateway integration component that handles transaction processing and merchant configuration. The vulnerability stems from CWE-862 (Missing Authorization), a class 4 weakness where the application fails to enforce proper permission checks before allowing sensitive operations. The affected plugin versions prior to and including 1.3.7 contain access control security levels that are either absent or misconfigured, permitting unauthorized manipulation of payment gateway settings or transaction data without proper privilege validation.
RemediationAI
Update iPOSpays Gateways WC to a patched version above 1.3.7 immediately. Administrators should review the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/ipospays-gateways-wc/vulnerability/wordpress-ipospays-gateways-wc-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve for specific patch availability and release notes. As an interim measure before patch deployment, restrict WordPress user role permissions for payment gateway configuration to administrator accounts only and audit access logs for unauthorized modification attempts to payment settings.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20242
GHSA-g84h-496p-cffh