The vulnerability is a missing authorization flaw that allows exploitation of incorrectly configured access control security levels within the OnPay.io for WooCommerce plugin. This flaw is categorized as CWE‑862, indicating a failure to verify an access right before permitting a privileged action. Attackers who can interact with the plugin’s endpoints may be able to read sensitive data, modify settings, or perform other actions they should not be authorized to execute, thereby compromising the confidentiality, integrity, or availability of the site’s functionality.

Any WordPress installation that has the OnPay.io for WooCommerce plugin installed in a version up to and including 1.0.47 is affected. The CVE records that the issue applies from unspecified lower bounds through version 1.0.47 without later releases, so all sites using any version of the plugin up to that point are vulnerable.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, using HTTP requests to the plugin’s exposed endpoints, and it requires an attacker to be able to submit requests to those endpoints, though the flaw does not seem to require further authentication. The risk thus remains moderate but low in terms of exploitation probability.