Description
Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.11.
Published: 2025-12-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Yaad Sarig Payment Gateway For WC plugin that allows exploiting incorrectly configured access control security levels. It can be leveraged to gain unauthorized access to privileged settings, potentially altering payment gateway behavior. This issue falls under CWE-862, which concerns unauthorized access to protected resources or functions.

Affected Systems

The vulnerability affects the WordPress Yaad Sarig Payment Gateway For WC plugin, version 2.2.11 and earlier. The affected product is the "Yaad Sarig Payment Gateway For WC" plugin distributed by yaadsarig, with all releases up to and including 2.2.11 being potentially impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The plugin is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is through the WordPress site, where an attacker either has a low privileged role or unauthenticated access to invoke a protected functionality that should be restricted. The vulnerability permits the attacker to bypass intended access restrictions and manipulate payment gateway settings or related data.

Generated by OpenCVE AI on April 29, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Yaad Sarig Payment Gateway For WC plugin to the latest version that addresses the access control flaw.
  • Verify that only administrators have permission to access and modify payment gateway settings after the update.
  • If an immediate update is not possible, restrict the plugin’s administrative functions to users with the Administrator role and consider disabling any exposed endpoints that are not required for site operation.

Generated by OpenCVE AI on April 29, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.10. Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.11.
Title WordPress Yaad Sarig Payment Gateway For WC plugin <= 2.2.10 - Broken Access Control vulnerability WordPress Yaad Sarig Payment Gateway For WC plugin <= 2.2.11 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.10.
Title WordPress Yaad Sarig Payment Gateway For WC plugin <= 2.2.10 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:17.867Z

Reserved: 2025-11-21T11:21:32.202Z

Link: CVE-2025-66131

cve-icon Vulnrichment

Updated: 2025-12-16T16:06:25.192Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:57.653

Modified: 2026-06-17T09:56:22.460

Link: CVE-2025-66131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses