Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-accessible WordPress plugin, no authentication required per description, limited data access and modification only, no availability or scope impact confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.
AnalysisAI
Unauthenticated bypass in the Stripe Payments WordPress plugin (versions up to and including 2.0.98) allows remote, unauthenticated attackers to circumvent authentication controls, resulting in limited confidentiality and integrity impact against affected WordPress installations. Reported by Patchstack (ENISA EUVD-2026-36838), the flaw is classified under CWE-440 (Expected Behavior Violation), indicating the plugin's actual enforcement diverges from its intended or documented security model. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special pre-authentication conditions are required - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation against any WordPress installation running Stripe Payments plugin version 2.0.98 or earlier that is network-accessible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) reflects an unauthenticated, network-accessible attack requiring no user interaction (AV:N/AC:L/PR:N/UI:N), but with constrained impact limited to low confidentiality and low integrity (C:L/I:L/A:N), and no scope change (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a publicly accessible WordPress site running Stripe Payments 2.0.98 or earlier and sends a crafted HTTP request directly to a plugin endpoint that should require authentication, bypassing the intended access control. The attacker can then access payment-related data or alter plugin state with low confidentiality and integrity impact. … |
| Remediation | Update the Stripe Payments WordPress plugin to a version above 2.0.98 if a patched release has been issued by the vendor - consult the official WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/stripe-payments/vulnerability/wordpress-stripe-payments-plugin-2-0-98-bypass-vulnerability-vulnerability for the confirmed fix version, as an exact patched version number was not independently confirmed in the available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-440 – Expected Behavior Violation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36838
GHSA-q946-p8hr-8q7p