Description
Missing Authorization vulnerability in YayCommerce YayPricing yaypricing allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects YayPricing: from n/a through <= 3.5.3.
Published: 2025-12-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability identified as a missing authorization flaw allows users to access functionality within the YayPricing plugin that should be restricted by access control lists. This broken access control can lead to exploitation of privileged features, potentially exposing sensitive data or allowing unprivileged users to manipulate pricing information. The weakness is classified as CWE-862, indicating that the plugin fails to enforce proper authorization checks.

Affected Systems

WordPress sites running the YayCommerce YayPricing plug‑in version 3.5.3 or earlier are impacted. Users of older or pre‑3.5.3 releases are also included, as the issue is present from the earliest available versions through the highlighted threshold. The vulnerability affects any installation that has the plug‑in enabled and may expose additional functions via the web interface.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity level, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploitation campaigns are currently known. Attackers would need to target a WordPress site hosting the affected plug‑in and discover the exposed endpoints, a scenario that is likely inferred rather than explicitly detailed in the available data. If successful, the attacker could harvest or alter pricing data, which may impact the confidentiality and integrity of the site’s commerce information.

Generated by OpenCVE AI on April 29, 2026 at 13:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the YayPricing plug‑in to a version newer than 3.5.3 once an official patch is released.
  • If a patch is not yet available, disable the plug‑in or remove unprivileged user accounts that should not have access to pass‑through functionality.
  • Conduct an audit of the plug‑in’s exposed endpoints and apply access controls or additional security plugins to block unauthorized requests.

Generated by OpenCVE AI on April 29, 2026 at 13:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in YayCommerce YayPricing yaypricing allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects YayPricing: from n/a through <= 3.5.3.
Title WordPress YayPricing plugin <= 3.5.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:36:45.751Z

Reserved: 2025-09-25T15:19:48.981Z

Link: CVE-2025-60077

cve-icon Vulnrichment

Updated: 2025-12-18T16:48:54.585Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:07.790

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses