Description
The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
Published: 2025-05-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Plugin Settings
Action: Patch
AI Analysis

Impact

The Splitit plugin for WordPress contains missing capability checks within the splitIt-flexfields-payment-gateway.php file across all releases up to version 4.2.8. Authenticated users who hold the Subscriber role or any higher privilege can modify plugin configuration, for instance toggling the payment environment between sandbox and production, without proper authorization.

Affected Systems

Affected systems are WordPress sites that have installed the Splitit installment‑payments plugin in a version 4.2.8 or earlier. The vulnerability resides in the plugin’s splitIt-flexfields-payment-gateway.php file and can be leveraged by users possessing authenticated access with Subscriber-level or greater permissions.

Risk and Exploitability

The CVSS score of 5.4 categorizes the flaw as moderate severity for unauthorized configuration changes. The EPSS rating of less than 1% indicates a very low exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated on the site with at least Subscriber privileges, making it a privilege‑related configuration issue rather than a remote code execution vector.

Generated by OpenCVE AI on April 22, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Splitit plugin to a version newer than 4.2.8 once an official fix is released.
  • Configure WordPress user roles so that only Administrators have the capability to modify plugin settings, removing this permission from Subscriber and related roles.
  • Verify the current payment environment setting, and implement a controlled approval process for any changes to ensure only authorized users can alter the configuration.

Generated by OpenCVE AI on April 22, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16079 The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 21 May 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
Title Splitit <= 4.2.8 - Missing Authorization to Multiple Administrative Actions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:34.197Z

Reserved: 2025-04-29T23:43:47.744Z

Link: CVE-2025-4105

cve-icon Vulnrichment

Updated: 2025-05-21T10:11:45.582Z

cve-icon NVD

Status : Deferred

Published: 2025-05-21T12:16:22.473

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses