The vulnerability is a missing authorization control in the Payment QR WooCommerce plugin version 1.1.6 and earlier. It permits an attacker to interact with the plugin’s endpoints without proper authentication, enabling unauthorized use of payment QR generation functions or potential exposure of sensitive payment data. Based on the description, the primary consequence is that a user who should not have administrative privileges could perform operations normally reserved for site administrators, compromising the integrity of the payment process. The flaw is scored a CVSS of 5.3, indicating moderate severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and the likely attack vector is remote, leveraging publicly reachable plugin URLs on a WordPress site.

WordPress sites that have installed the Miguel Fuentes Payment QR WooCommerce plugin version 1.1.6 or earlier. These sites are vulnerable because the plugin does not enforce proper authorization on its endpoints, exposing payment QR functionalities to unauthenticated users.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the flaw can be exploited remotely by accessing publicly reachable plugin URLs, allowing an attacker to invoke payment QR generation or other protected functions without proper authentication.