Description
The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.
Published: 2025-07-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Invoice Generation
Action: Immediate Patch
AI Analysis

Impact

The Vchasno Kasa WordPress plugin contains a missing capability check in the mrkv_vchasno_kasa_wc_do_metabox_action() function. This flaw allows any visitor, even one who is not logged in, to request the creation of invoices for any order. As a result, attackers could generate fraudulent invoices, potentially leading to financial losses or the exposure of confidential order information.

Affected Systems

The vulnerability exists in the bandido Vchasno Kasa Integration plugin for WordPress up to version 1.0.3, inclusive.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score is reported as below 1 %, suggesting a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating that it is not widely exploited in the wild. Attackers can exploit the weakness remotely by sending crafted requests to the plugin’s endpoint, as the missing authorization check is performed server‑side.

Generated by OpenCVE AI on April 21, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Vchasno Kasa plugin that includes the missing capability check
  • If an update is not immediately possible, temporarily disable the plugin or remove the mrkv_vchasno_kasa_wc_do_metabox_action() endpoint from the site until a patch is applied
  • If the plugin must remain active, implement an additional capability check in a custom plugin or via a WP hook to ensure that only users with an appropriate role can trigger invoice generation.

Generated by OpenCVE AI on April 21, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21952 The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.
History

Mon, 21 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Jul 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.
Title Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:26.633Z

Reserved: 2025-06-26T14:07:49.904Z

Link: CVE-2025-6721

cve-icon Vulnrichment

Updated: 2025-07-21T17:49:33.592Z

cve-icon NVD

Status : Deferred

Published: 2025-07-19T06:15:24.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses