The iPOSpays Gateways WC WordPress plugin has a missing authorization flaw that can allow an attacker to bypass normal access controls. Because the plugin does not verify user permissions correctly when handling certain administrative functions, a malicious actor could potentially manipulate payment gateway settings, view sensitive transaction details, or alter data that should be restricted to privileged users. This type of weakness falls under the category of missing authorization (CWE-862) and could compromise the confidentiality, integrity, or availability of the e‑commerce site if an attacker successfully exploits it.

WordPress sites that use the iPOSpays Gateways WC plugin version 1.3.7 or earlier are affected. The vulnerability impacts any installation where the plugin is present and enabled, regardless of the overall WordPress version. Site administrators should verify which version is installed and ensure it falls within the affected range.

The CVSS score of 5.3 indicates moderate risk. The EPSS score is below 1%, suggesting that this vulnerability is unlikely to be widely exploited at present. It is not listed in the CISA KEV catalog, meaning no known large‑scale attacks are reported. However, because the flaw permits unauthorized access to administrative features, the potential impact could be significant if an attacker can reach the relevant URLs. The likely attack vector is remote, requiring the attacker to send crafted HTTP requests to the plugin’s endpoints, though any user with insufficient permissions who can access those endpoints might be able to exploit it. Because the issue is tied to missing permission checks, the requirement for an authenticated user may be low, but the exact prerequisites are not explicitly detailed in the description, so the assessment is based on inferred behavior.