Skip to main content

NOWPayments for WooCommerce EUVDEUVD-2026-41339

| CVE-2026-39448 HIGH
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-84q6-57x9-mmj9
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network endpoint with no authorization check (PR:N, AV:N, AC:L, UI:N); impact is state tampering only, so I:H with C:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:11 vuln.today
CVE Published
Jul 02, 2026 - 11:15 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions.

AnalysisAI

Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running NOWPayments plugin ≤1.4.0
Exploit
Send crafted request to unauthenticated endpoint
Execution
Bypass missing authorization check
Impact
Tamper with payment/order state

Vulnerability AssessmentAI

Exploitation The only prerequisite is a WordPress site running the NOWPayments for WooCommerce plugin at version 1.4.0 or earlier with the affected endpoint reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, base 7.5 HIGH) describes a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, with high integrity impact but no confidentiality or availability loss - consistent with tampering (e.g., manipulating order/payment state) rather than data theft or service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows a store runs NOWPayments for WooCommerce <= 1.4.0 sends a crafted HTTP request directly to the plugin's unauthenticated endpoint over the network, with no login and no user interaction required. Because the endpoint lacks an authorization check, the request is processed as if authorized, letting the attacker alter payment or order state (for example, causing an order to be treated as paid). …
Remediation Upgrade the NOWPayments for WooCommerce plugin to a version later than 1.4.0 once the vendor publishes a fixed release; the input identifies the last vulnerable version as 1.4.0 but does not state an exact patched version, so no vendor-released patch version is independently confirmed at time of analysis - verify the fixed release via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/nowpayments-for-woocommerce/vulnerability/wordpress-nowpayments-for-woocommerce-plugin-1-4-0-broken-access-control-vulnerability) or the WordPress.org plugin changelog. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running NOWPayments versions 1.4.0 or earlier; disable the plugin immediately; audit all orders created or modified since plugin deployment for unauthorized changes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy