Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Subscriber-level authentication (PR:L) is the only barrier; network-reachable AJAX endpoint with no complexity; integrity-only impact as payment data is overwritten but not disclosed.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.
AnalysisAI
Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's upload_csv and process_batch functions in the MigrationMobilepayToVipps class perform no WordPress capability checks before processing caller-supplied CSV data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active WordPress session with at least Subscriber-level privileges (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N scores 6.5 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a WordPress site running Frisbii Pay with open user registration enabled. The attacker then sends a crafted authenticated POST request to the WordPress admin-ajax endpoint invoking the `upload_csv` action with a maliciously constructed CSV payload, causing the plugin to overwrite WooCommerce payment tokens with attacker-controlled values - potentially redirecting payment processing or corrupting transaction records for targeted orders. … |
| Remediation | An upstream code fix has been committed to the WordPress plugin repository as changeset 3485246 (https://plugins.trac.wordpress.org/changeset/3485246/); however, the exact patched release version number is not independently confirmed from the available data - site owners should verify the current plugin version in the WordPress plugin repository changelog and update to any version above 1.8.9 once a tagged release incorporating the changeset is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39958
GHSA-mxv8-m55g-xf4p