Paytiko for WooCommerce contains a missing authorization weakness that allows attackers to bypass intended access controls, enabling them to perform privileged actions such as modifying payment configurations, accessing sensitive transaction data, or hijacking customer information. This flaw is identified as CWE‑862, illustrating a failure to enforce proper authorization checks. The impact is the potential compromise of confidentiality and integrity of payment-related data within affected WordPress sites.

Vendors affected are Paytiko – Payment Orchestration Platform with the Paytiko for WooCommerce plugin versions up to 1.3.21. Any WordPress site that has installed Paytiko for WooCommerce on an older version (including the default 1.3.21 and earlier releases such as 1.3.13) is vulnerable. Sites that have upgraded beyond 1.3.21 are not affected according to the available information.

The CVSS base score of 6.5 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. However, the weakness permits unauthorized privileged actions which could be exploited through user interaction with the plugin’s administrative interface, likely requiring a user that has some level of access or knowledge of the site’s backend. Although exploitation requirements are limited, the potential impact warrants remediation.