The vulnerability lies in missing capability checks in the upload_csv and process_batch functions of the Frisbii Pay WordPress plugin (versions <= 1.8.9). What follows is that an attacker who is logged in with at least Subscriber role or higher can call these endpoints, upload arbitrary CSV files, and overwrite existing WooCommerce payment tokens, postmeta, and order meta records. This enables credentialed tampering of merchant payment data which may lead to fraudulent orders or loss of payment integrity, affecting the confidentiality and integrity of transaction data.

The affected systems are WordPress installations that use the Frisbii Pay plugin version 1.8.9 or earlier, released by reepaydenmark. The plugin integrates with WooCommerce, so any store using this plugin and containing the vulnerable functions is at risk. The issue does not affect the core WordPress or WooCommerce software itself, only this plugin. Specific version information is provided by the CNA as all versions up to and including 1.8.9 are vulnerable.

The CVSS score for this issue is 6.5, which classifies it as urgent but not critical. The vulnerability requires an attacker to already have a valid WordPress account with Subscriber-level permissions, which is a moderate prerequisite. EPSS is not available, but the vulnerability remains publicly disclosed and could be exploited by anyone with such an account, especially in common e-commerce sites. Since it is not listed in CISA's KEV, no documented exploits have been captured, yet the potential damage to payment token integrity could have a significant business impact. The most likely attack vector is remote via the front‑end or admin pages of the infected WordPress site, with the attacker leveraging the unrestricted CSV upload feature.