{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25469", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.642Z", "datePublished": "2026-03-25T16:14:51.967Z", "dateUpdated": "2026-03-25T16:14:51.967Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "viabill-woocommerce", "product": "ViaBill &#8211; WooCommerce", "vendor": "ViaBill for WooCommerce", "versions": [{"lessThanOrEqual": "<= 1.1.53", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:30.024Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill &#8211; WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ViaBill &#8211; WooCommerce: from n/a through <= 1.1.53.</p>"}], "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill &#8211; WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ViaBill &#8211; WooCommerce: from n/a through <= 1.1.53."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:51.967Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/viabill-woocommerce/vulnerability/wordpress-viabill-woocommerce-plugin-1-1-53-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress ViaBill \u2013 WooCommerce plugin <= 1.1.53 - Settings Change vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill &#8211; WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ViaBill &#8211; WooCommerce: from n/a through <= 1.1.53."}], "id": "CVE-2026-25469", "lastModified": "2026-03-25T17:16:52.827", "metrics": {}, "published": "2026-03-25T17:16:52.827", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/viabill-woocommerce/vulnerability/wordpress-viabill-woocommerce-plugin-1-1-53-settings-change-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:48:01.249734+00:00", "value": {"mitigation_remediation": ["Update the ViaBill for WooCommerce plugin to a version newer than 1.1.53.", "Verify that only authorized administrators are granted permission to access payment settings.", "Disable the plugin temporarily if an update cannot be applied immediately.", "Enforce strong passwords and two\u2011factor authentication for all administrative accounts.", "Monitor audit logs for unexpected changes to plugin settings."], "summary": {"action": "Update Plugin", "impact": "Unauthorized configuration changes"}, "threat_synthesis": {"affected_systems": "The flaw exists in the ViaBill \u2013 WooCommerce WordPress plugin, affecting all installations running version 1.1.53 or earlier.", "description_and_impact": "This vulnerability is a missing authorization flaw in the ViaBill for WooCommerce plugin. An attacker who can access the settings page can modify payment gateway configuration, redirect rules, or other critical settings. Without proper safeguards, the attacker can alter how payments are processed or captured, potentially facilitating fraudulent transactions.", "risk_and_exploitability": "The CVSS score is not reported, but the potential for financial loss and compromised payment data suggests a high impact. Exploitation requires access to the plugin\u2019s settings interface and does not necessarily involve code execution. Given the lack of EPSS data and the absence of a KEV listing, the vulnerability may not yet be widely exploited, yet the risk remains significant for sites that have not applied updates."}}}}, "created": "2026-03-25T21:44:15.407913+00:00", "updated": "2026-03-25T21:44:15.407951+00:00", "vendors": []}