Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
PR:L confirmed by authenticated-only exploitation; C:L added as BAC in payment context likely exposes order data; A:N as disruption is limited, not denial of service.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
AnalysisAI
Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid, low-privilege authenticated account on the WordPress/WooCommerce site - such as a WooCommerce customer account, which is freely obtainable on most e-commerce sites that allow guest registration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.4 (Medium) reflects network-accessible exploitation at low complexity requiring only a low-privilege authenticated account - consistent with a typical WordPress subscriber or WooCommerce customer. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free WooCommerce customer account on a target merchant site running the vulnerable plugin. Using a crafted HTTP request to an unprotected plugin endpoint - requiring no admin privileges - the attacker modifies payment gateway settings or manipulates order status, potentially redirecting UPI payment confirmations or disrupting the checkout flow. … |
| Remediation | Upstream fix availability has not been independently confirmed from the available data - the exact patched version is not specified in the Patchstack advisory or NVD CPE records at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39378
GHSA-qc9g-q3w6-g945