The vulnerability is a missing authorization flaw that allows an attacker to perform actions or access resources that should be restricted to authorized users or privileged roles. It stems from incorrectly configured access control security levels within the Virtuaria PagBank / PagSeguro para WooCommerce plugin. The weakness corresponds to CWE‑862, indicating that the plugin does not enforce the necessary privilege checks before executing sensitive operations.

The issue affects all installations of the Virtuaria PagBank / PagSeguro para WooCommerce plugin from the earliest release up to version 3.6.3. WordPress sites using this plugin for payment processing are potentially vulnerable, regardless of the WordPress core or theme versions. No further details on additional affected components are provided.

The CVSS score of 5.3 indicates a moderate vulnerability. The EPSS score is reported to be less than 1 %, suggesting that the likelihood of exploitation remains low, and the vulnerability is not listed in CISA’s KEV catalog. The attack path is inferred to involve exploitation of improperly protected plugin endpoints; an attacker would need to reach those endpoints, which may require some form of authenticated or partially privileged access. Once the attacker succeeds, they may perform actions that should be restricted, as the missing authorization flaw permits access to privileged operations.