Description
Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control leading to unauthorized plugin functionality
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits exploitation of incorrectly configured access controls within the Payment Plugins for PayPal WooCommerce plugin. Attackers could gain unauthorized access to privileged features exposed by the plugin, potentially allowing actions beyond the intended scope. This weakness is classified as CWE‑862, indicating that user or role checks are insufficient.

Affected Systems

All WordPress sites that have installed Payment Plugins for PayPal WooCommerce version 2.0.13 or earlier are affected. The issue applies to every installation of the plugin within that version range, regardless of other configuration settings.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium severity range. With an EPSS score below 1% the likelihood of exploitation is considered low at present, and it is not listed in the CISA KEV catalog. The likely attack vector is through the web interface of the WordPress site; an attacker may need to authenticate or rely on a misconfigured role to leverage the flawed access control. The impact is limited to the capabilities exposed by the plugin but could compromise payment processing flows if successful.

Generated by OpenCVE AI on April 13, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Payment Plugins for PayPal WooCommerce to the latest version where this access control issue is resolved (any release greater than 2.0.13).
  • Verify that user roles and capabilities in WordPress adhere to the principle of least privilege, ensuring no unnecessary roles have access to payment‑related administrative functions.

Generated by OpenCVE AI on April 13, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Payment Plugins
Payment Plugins payment Plugins For Paypal Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Payment Plugins
Payment Plugins payment Plugins For Paypal Woocommerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.
Title WordPress Payment Plugins for PayPal WooCommerce plugin <= 2.0.13 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Payment Plugins Payment Plugins For Paypal Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-13T19:31:05.074Z

Reserved: 2026-04-07T10:57:48.107Z

Link: CVE-2026-39643

cve-icon Vulnrichment

Updated: 2026-04-13T18:19:25.593Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:35.077

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:55Z

Weaknesses