Skip to main content

Frisbii Pay EUVDEUVD-2026-39958

| CVE-2026-3462 MEDIUM
Missing Authorization (CWE-862)
2026-06-27 Wordfence GHSA-mxv8-m55g-xf4p
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Subscriber-level authentication (PR:L) is the only barrier; network-reachable AJAX endpoint with no complexity; integrity-only impact as payment data is overwritten but not disclosed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:50 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 6.5

DescriptionCVE.org

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.

AnalysisAI

Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's upload_csv and process_batch functions in the MigrationMobilepayToVipps class perform no WordPress capability checks before processing caller-supplied CSV data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Subscriber account
Delivery
Craft malicious CSV payload
Exploit
POST to admin-ajax upload_csv endpoint
Execution
Bypass absent capability check
Persist
Overwrite WooCommerce payment tokens and order meta
Impact
Corrupt or redirect payment records

Vulnerability AssessmentAI

Exploitation Exploitation requires an active WordPress session with at least Subscriber-level privileges (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N scores 6.5 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a WordPress site running Frisbii Pay with open user registration enabled. The attacker then sends a crafted authenticated POST request to the WordPress admin-ajax endpoint invoking the `upload_csv` action with a maliciously constructed CSV payload, causing the plugin to overwrite WooCommerce payment tokens with attacker-controlled values - potentially redirecting payment processing or corrupting transaction records for targeted orders. …
Remediation An upstream code fix has been committed to the WordPress plugin repository as changeset 3485246 (https://plugins.trac.wordpress.org/changeset/3485246/); however, the exact patched release version number is not independently confirmed from the available data - site owners should verify the current plugin version in the WordPress plugin repository changelog and update to any version above 1.8.9 once a tagged release incorporating the changeset is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy