Description
Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via broken access control
Action: Patch
AI Analysis

Impact

The Wava Payment plugin for WordPress contains a missing authorization flaw that permits unauthenticated or improperly authenticated users to perform actions that should be restricted to privileged administrators. This broken access control can lead to data exposure, unauthorized configuration changes, or other compromises depending on the features exposed by the plugin.

Affected Systems

The plugin is distributed by Wava.co under the name Wava Payment. Versions from the earliest released up through 0.3.7 are affected. Administrators should verify the version of the plugin installed on each WordPress site and treat any instance older than 0.4.0 as vulnerable.

Risk and Exploitability

The CVSS score is not publicly disclosed; EPSS is unavailable and the submission is not listed in the CISA KEV catalog, suggesting the risk is not currently prioritized. Nonetheless, the vulnerability allows an attacker who can reach the WordPress interface to bypass standard access controls. The attack vector is likely remote via web requests to the plugin's endpoints, and no elevated privileges are required beyond basic web access.

Generated by OpenCVE AI on April 8, 2026 at 09:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Wava Payment plugin to the latest available version.
  • If an update is not immediately available, restrict access to the plugin’s administrative pages by applying server‑side access controls or using a security plugin.
  • Verify that all plugin files are properly protected and monitor logs for unauthorized changes.

Generated by OpenCVE AI on April 8, 2026 at 09:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wava.co
Wava.co wava Payment
Wordpress
Wordpress wordpress
Vendors & Products Wava.co
Wava.co wava Payment
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7.
Title WordPress Wava Payment plugin <= 0.3.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wava.co Wava Payment
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:23.375Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39609

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:30.303

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:08Z

Weaknesses