Skip to main content

UPI QR Code Payment Gateway EUVDEUVD-2026-39378

| CVE-2026-56023 MEDIUM
Missing Authorization (CWE-862)
2026-06-25 Patchstack GHSA-qc9g-q3w6-g945
5.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L confirmed by authenticated-only exploitation; C:L added as BAC in payment context likely exposes order data; A:N as disruption is limited, not denial of service.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 14:37 vuln.today
CVE Published
Jun 25, 2026 - 13:12 cve.org
MEDIUM 5.4

DescriptionCVE.org

Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.

AnalysisAI

Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privilege WooCommerce account
Delivery
Identify unprotected plugin endpoint via source review
Exploit
Send crafted authenticated request without required capability
Execution
Bypass missing authorization check
Impact
Modify payment gateway config or disrupt order flow

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid, low-privilege authenticated account on the WordPress/WooCommerce site - such as a WooCommerce customer account, which is freely obtainable on most e-commerce sites that allow guest registration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.4 (Medium) reflects network-accessible exploitation at low complexity requiring only a low-privilege authenticated account - consistent with a typical WordPress subscriber or WooCommerce customer. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free WooCommerce customer account on a target merchant site running the vulnerable plugin. Using a crafted HTTP request to an unprotected plugin endpoint - requiring no admin privileges - the attacker modifies payment gateway settings or manipulates order status, potentially redirecting UPI payment confirmations or disrupting the checkout flow. …
Remediation Upstream fix availability has not been independently confirmed from the available data - the exact patched version is not specified in the Patchstack advisory or NVD CPE records at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy