Description
Missing Authorization vulnerability in gunnarpayday Payday payday allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payday: from n/a through <= 3.3.18.
Published: 2025-04-03
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization checks in the Payday plugin allow an attacker to perform privileged operations within a WordPress site without proper authentication. The vulnerability is classified as a broken access control flaw, which can potentially lead to unauthorized data modification, page injection, or other privileged actions, depending on the plugin's exposed functionality.

Affected Systems

All releases of the Payday WordPress plugin from gunnarpayday, up to and including version 3.3.18, are affected. The vulnerability exists in every release that has not addressed the access control issue and is present in every environment where the plugin is installed and accessible.

Risk and Exploitability

The CVSS base score of 5.8 indicates a medium severity vulnerability, while the EPSS score of less than 1% suggests low overall exploitation probability. The vulnerability is not currently listed in CISA’s KEV catalog, which implies there are no widespread, publicly known attacks targeting this flaw. The likely exploit path requires access to the WordPress administrative interface or a user account with sufficient privileges, and the failure originates from the plugin’s incorrect configuration of access control security levels. Despite the low exploitation likelihood, the flaw can be used for privilege escalation or data tampering within the affected site.

Generated by OpenCVE AI on May 1, 2026 at 01:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Payday plugin to the latest available release (>= 3.3.19) to apply the vendor’s fix for missing authorization checks.
  • If an update is not immediately available, disable or delete the plugin to eliminate the exposure.
  • While using a temporary workaround, restrict Payday functionality so that only administrator or super-admin roles can invoke it, and enforce strict role checks in the plugin configuration.

Generated by OpenCVE AI on May 1, 2026 at 01:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14732 Missing Authorization vulnerability in gunnarpayday Payday allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payday: from n/a through 3.3.12.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in gunnarpayday Payday allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payday: from n/a through 3.3.12. Missing Authorization vulnerability in gunnarpayday Payday payday allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payday: from n/a through <= 3.3.18.
Title WordPress Payday plugin <= 3.3.12 - Broken Access Control vulnerability WordPress Payday plugin <= 3.3.18 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Thu, 03 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in gunnarpayday Payday allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payday: from n/a through 3.3.12.
Title WordPress Payday plugin <= 3.3.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.958Z

Reserved: 2025-04-01T13:21:14.642Z

Link: CVE-2025-31876

cve-icon Vulnrichment

Updated: 2025-04-03T18:35:57.404Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:41.413

Modified: 2026-04-23T15:28:28.130

Link: CVE-2025-31876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses