The CardCom Payment Gateway plugin suffers from a missing authorization flaw (CWE-862). The bug allows an attacker to perform actions that should be restricted to privileged users, such as modifying payment settings or accessing restricted information. The primary impact is the potential compromise of payment integrity and confidentiality, as unauthorized individuals can alter transaction data or retrieve payment details. In the absence of explicit detail, the flaw is interpreted as an access control weakness that can undermine the plugin’s integrity and privacy guarantees.

The vulnerability affects all installations of the CardCom Payment Gateway plugin with versions up to and including 3.5.0.7. The affected product is the WordPress plugin named CardCom Payment Gateway, developed by CardCom.

With a CVSS score of 5.3, the flaw sits in the medium severity range. The EPSS score of less than 1% indicates that the probability of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is remote, via the plugin’s exposed web interface, as it relies on incorrect access control within the plugin code. Inferred from the description, an attacker would need to reach the plugin’s administrative functions; however, no explicit authentication requirement is stated, so the flaw can be exploited by users with any level of access that can reach the plugin pages.