Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network-reachable WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N); broken access control on a state-changing action yields I:H with no disclosure or downtime, so C:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.
AnalysisAI
Unauthenticated broken access control in the Knit Pay WordPress plugin versions 9.4.0.0 and earlier allows remote attackers to modify integrity-sensitive data without any authentication or user interaction. The flaw is rooted in missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit identified at time of analysis, the network-reachable nature and zero prerequisites make it attractive for opportunistic abuse against WordPress sites running this payment plugin.
Technical ContextAI
Knit Pay is a WordPress payment-gateway plugin (CPE cpe:2.3:a:knit_pay:knit_pay) that integrates third-party Indian payment processors into WordPress sites. The underlying weakness is CWE-862 Missing Authorization, meaning one or more plugin actions - typically exposed via WordPress admin-ajax, REST routes, or admin-post handlers - execute privileged operations without verifying the caller's capability (current_user_can) or nonce. In WordPress plugins of this class, such gaps commonly surface in configuration, transaction-record, or webhook endpoints where the developer assumed an authenticated admin context but registered the hook on a public action.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed from the provided data, so site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/knit-pay/vulnerability/wordpress-knit-pay-plugin-9-4-0-0-broken-access-control-vulnerability and update Knit Pay to any version greater than 9.4.0.0 as soon as the vendor publishes one on the WordPress.org plugin repository. As compensating controls until a patched release is verified, restrict access to /wp-admin/admin-ajax.php and the plugin's REST namespace via a WAF rule or .htaccess deny for unauthenticated callers (side effect: may break legitimate front-end checkout flows that rely on the plugin's AJAX handlers), deactivate the Knit Pay plugin if payment processing is not currently in production use, and audit recent plugin-related database writes for unauthorized modifications.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36876
GHSA-f972-34qc-543f