Skip to main content

Better Payment EUVDEUVD-2026-43451

| CVE-2026-57364 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
7.3 HIGH

AV:N/PR:N confirmed by publicly accessible payment forms; C:L elevated from C:N to reflect Patchstack's Information Disclosure tag, which conflicts with the NVD C:N rating.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:29 vuln.today

DescriptionCVE.org

Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment - Instant Payments, Donations, Fundraising with Subscriptions &amp; More better-payment allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Better Payment - Instant Payments, Donations, Fundraising with Subscriptions &amp; More: from n/a through <= 2.2.0.

AnalysisAI

Unauthenticated remote exploitation of the Better Payment WordPress plugin (versions through 2.2.0) allows attackers to bypass access control restrictions by submitting improperly validated quantity inputs, enabling unauthorized access to functionality protected by ACLs. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the plugin's payment and subscription handling endpoints are reachable without credentials, producing both integrity and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Better Payment ≤2.2.0
Delivery
Send HTTP request with malformed quantity parameter to plugin endpoint
Exploit
Bypass ACL validation due to missing input range check
Execution
Access restricted payment or subscription functionality
Impact
Achieve unauthorized integrity modification or availability disruption

Vulnerability AssessmentAI

Exploitation The WordPress site must have the Better Payment plugin installed and active at version 2.2.0 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score is backed by an exploitable attack surface: AV:N/AC:L/PR:N/UI:N means the flaw is reachable over the network by any unauthenticated party with no special complexity, making automated scanning and exploitation straightforward. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running Better Payment ≤2.2.0 via passive fingerprinting or automated scanning, then submits a crafted HTTP request to the plugin's payment or donation handler with a manipulated quantity value that falls outside the expected range. The missing input validation allows the request to bypass the ACL check, granting the attacker access to restricted functionality - such as modifying subscription parameters, altering donation amounts, or reading internal payment state - without holding any WordPress account. …
Remediation Update the Better Payment plugin to a version beyond 2.2.0 as soon as a patched release is made available by WPDeveloper. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy