Wp Easy Pay Payment And Donation Form Builder For Square
Monthly
Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.
Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.