Skip to main content

Frisbii Pay

1 CVEs product

Monthly

CVE-2026-3462 MEDIUM This Month

Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.

Authentication Bypass WordPress Frisbii Pay
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.

Authentication Bypass WordPress Frisbii Pay
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy