Frisbii Pay
Monthly
Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.
Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.