Skip to main content

Unitechpay EUVDEUVD-2026-20316

| CVE-2026-39650 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-jjmh-m34w-m8ph
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20316
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2.

AnalysisAI

Missing authorization in Unitech Web UnitechPay WordPress plugin through version 1.0.2 permits unauthenticated remote attackers to read sensitive information via incorrectly configured access controls, exposing data confidentiality without enabling modification or service disruption. The vulnerability carries a CVSS score of 5.3 with near-zero measured exploitation probability (EPSS 0.02%), indicating low real-world risk despite network-accessible attack surface.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization) in the UnitechPay WordPress plugin, a mobile money payment processing component. The root cause is improperly enforced access control on API or functional endpoints, allowing requests without proper privilege checks. The affected product (cpe:2.3:a:unitech_web:unitechpay:*:*:*:*:*:*:*:*) represents a WordPress plugin architecture where authorization decisions are likely made at the application logic layer rather than through WordPress role and capability hooks, permitting information disclosure through direct endpoint access.

RemediationAI

Upgrade the UnitechPay plugin to a patched version beyond 1.0.2 immediately. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/unitechpay-paiements-mobile-money/vulnerability/wordpress-unitechpay-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve) and NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39650) for patch availability and timeline. As an interim workaround if immediate patching is infeasible, restrict API endpoint access via Web Application Firewall (WAF) rules or WordPress security plugins to authenticated users only, and review access logs for unauthorized data queries.

Share

EUVD-2026-20316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy