Description
Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access (login), potential administrative takeover
Action: Immediate Patch
AI Analysis

Impact

The Addi – Cuotas que se adaptan a ti plugin for WordPress contains hard‑coded credentials that can be exploited during the password‑recovery process. This weakness, identified as CWE‑798, allows an attacker to authenticate without valid user credentials, leading to full administrative access. Once authenticated, the attacker can modify site settings, compromise data, and potentially use the site as a platform for further attacks.

Affected Systems

Addi – Cuotas que se adaptan a ti WordPress plugin, version 2.0.4 and earlier. The vulnerability affects all installations using these plugin versions on any WordPress site.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity. EPSS indicates a very low probability of exploitation (<1%), and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can trigger the flaw via the publicly accessible password recovery endpoint, meaning the vector is remote and unauthenticated. While the vulnerability does not directly allow arbitrary code execution, it gives attackers complete control through the administrative interface.

Generated by OpenCVE AI on March 26, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Addi plugin to a version newer than 2.0.4 once it becomes available.
  • If an update is not immediately available, remove or disable the plugin to eliminate the exposed credentials.
  • Change all administrative passwords and review user accounts for any suspicious activity.
  • Monitor site logs to detect any unauthorized login attempts or behavioral anomalies.

Generated by OpenCVE AI on March 26, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Addi
Addi addi &#8211; Cuotas Que Se Adaptan A Ti
Wordpress
Wordpress wordpress
Vendors & Products Addi
Addi addi &#8211; Cuotas Que Se Adaptan A Ti
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4.
Title WordPress Addi – Cuotas que se adaptan a ti plugin <= 2.0.4 - Broken Authentication vulnerability
Weaknesses CWE-798
References

Subscriptions

Addi Addi &#8211; Cuotas Que Se Adaptan A Ti
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:30.687Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27073

cve-icon Vulnrichment

Updated: 2026-03-26T19:04:54.958Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:54.793

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:27Z

Weaknesses