Skip to main content

Frisbii Pay EUVDEUVD-2026-39700

| CVE-2026-56038 HIGH
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-6hv7-34w5-9r7h
8.8
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint, low complexity, requires a low-privilege Contributor account (PR:L), no user interaction; missing authorization yields full site takeover so C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:44 vuln.today

DescriptionCVE.org

Contributor Privilege Escalation in Frisbii Pay <= 1.8.2 versions.

AnalysisAI

Privilege escalation in the Frisbii Pay (reepay-checkout-gateway) WordPress plugin through version 1.8.2 allows a low-privileged authenticated user holding a Contributor role to elevate to higher privileges due to a missing authorization check. Reported through Patchstack's audit program and tagged as both Authentication Bypass and Privilege Escalation, the flaw carries a CVSS 8.8 and full confidentiality, integrity, and availability impact, meaning a successful actor can effectively take administrative control of the affected WordPress site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account on site
Delivery
Authenticate to WordPress
Exploit
Call plugin endpoint missing authorization check
Execution
Execute privileged admin action
Impact
Escalate to administrative control

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session at the Contributor role (or equivalent low-privilege level), per the explicit 'Contributor Privilege Escalation' description and the CVSS PR:L metric - it is not exploitable by fully unauthenticated attackers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with high impact across all three security properties - a serious combination. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor-level account on a WordPress site running Frisbii Pay <= 1.8.2 - trivial on sites that allow self-registration as contributor. They then send a crafted authenticated request to the plugin's unprotected privileged endpoint, which performs an administrative action on their behalf, escalating their effective privileges and allowing them to take over the site. …
Remediation No vendor-released patch version was identified in the provided data, so confirm the fixed release via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/reepay-checkout-gateway/vulnerability/wordpress-frisbii-pay-plugin-1-8-2-privilege-escalation-vulnerability) and upgrade the Frisbii Pay / reepay-checkout-gateway plugin to the first release above 1.8.2 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all WordPress installations running Frisbii Pay plugin ≤1.8.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39700 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy