Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Unauthenticated network endpoint with missing authorization (PR:N/UI:N/AC:L); impact is unauthorized modification (I:H) and minor disruption (A:L) with no disclosure (C:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions.
AnalysisAI
Missing authorization in the POS Entegratör WordPress plugin (versions <= 3.7.103, vendor gurmehub) lets unauthenticated remote attackers reach privileged plugin functions that lack capability checks, enabling unauthorized modification of data with limited service disruption. The flaw is remotely reachable with no authentication or user interaction (CVSS 8.2), but has no confidentiality impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable POS Entegratör plugin (version <= 3.7.103) be installed and active on an internet-reachable WordPress site; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, no user interaction, and no special non-default configuration are required to reach the missing-authorization endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L, score 8.2) indicates an easily reachable, unauthenticated network attack with high integrity impact and low availability impact, but explicitly no confidentiality impact - consistent with a broken access control write/modify primitive rather than data disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An anonymous attacker enumerates the target WordPress site, identifies the POS Entegratör plugin, and sends a crafted HTTP request directly to one of its unauthenticated action handlers. Because the handler performs no capability check (CWE-862), the request executes a privileged operation and modifies plugin or store data without any login. … |
| Remediation | No vendor-released patch version is identified in the provided data; the input only confirms versions <= 3.7.103 are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pos-entegrator/vulnerability/wordpress-pos-entegratoer-plugin-3-7-103-broken-access-control-vulnerability) and upgrade to the next release that Patchstack/the vendor marks as fixed once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations for POS Entegratör plugin versions ≤3.7.103; if operationally feasible, immediately deactivate and remove the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41297
GHSA-52qw-w4c5-82h4