This vulnerability is a missing authorization flaw in the Onepay Sri Lanka Onepay Payment Gateway for WooCommerce plugin. An attacker who can exploit incorrectly configured access control security levels can gain unauthorized access to privileged functions or sensitive data within the plugin. The impact is the potential for privilege escalation or data theft because users lacking proper permissions can invoke privileged operations.

WordPress sites using the Onepay Sri Lanka Onepay Payment Gateway for WooCommerce plugin. All versions from the earliest available through 1.1.2 are affected. Site administrators or developers should verify the plugin version and ensure it falls within this range to determine exposure.

The CVSS v3.1 score of 6.5 indicates moderate severity, reflecting the potential for unauthenticated exploitation without needing any remote code execution. The EPSS score of <1% suggests that, currently, successful exploitation is considered low probability, although no security advisory has listed it in the CISA KEV catalog. The likely attack vector is through the web application, exploiting the misconfigured access control. The vulnerability can be exploited if the attacker is able to access the plugin’s protected administrative endpoints, which are usually reachable via standard HTTP requests from the plugin’s API or dashboard URLs.