The ViaBill – WooCommerce plugin up to version 1.1.53 suffers from a missing authorization flaw that permits exploitation of incorrectly configured access control levels. As a result, an attacker can change the plugin’s configuration settings without proper authentication. This CWE‑862 vulnerability can alter payment processing parameters and affect how the plugin operates within WordPress, potentially compromising transaction integrity and exposing sensitive financial data.

All WordPress installations that use the ViaBill – WooCommerce plugin version 1.1.53 or earlier are affected. Any site relying on this plugin for payment handling is vulnerable to unauthorized configuration changes.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests low current exploit activity and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the plugin’s settings interface, which can be accessed by any authenticated user who has permission to view or edit the settings. Based on the description, it is inferred that such an attacker could alter configuration values, potentially enabling unauthorized payment routes or disabling security checks. Although exploitation probability is low at present, the ability to change core settings increases risk until the plugin is updated or otherwise mitigated.