Description
Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch
AI Analysis

Impact

A missing authorization flaw in the Razorpay for WooCommerce plugin allows an authenticated attacker or a user with an overly permissive role to bypass normal access controls and manipulate payment configuration settings. This can enable unauthorized transactions or financial manipulation, and the weakness is classified as a Broken Access Control failure (CWE‑862).

Affected Systems

WordPress sites running Razorpay for WooCommerce version 4.8.2 or earlier are affected. Any installation of the plugin within this version range exposes the site to the vulnerability regardless of additional WordPress configuration or theme usage.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity; the flaw does not provide remote code execution but can compromise the integrity of payment processing. An EPSS score of less than 1% indicates current exploitation is rare, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through an authenticated session in the WooCommerce admin interface or via a misconfigured user role that grants unnecessary permissions to modify payment settings.

Generated by OpenCVE AI on April 13, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Razorpay for WooCommerce plugin to a version newer than 4.8.2 as soon as a fix is released.
  • Enforce role‑based access controls to limit which users can modify payment settings.
  • Require strong unique passwords and enable two‑factor authentication for all administrator accounts.
  • Restrict access to the WooCommerce admin panel to trusted IP addresses where feasible.
  • Verify after the patch that no unintended users retain access to payment configuration pages.
  • Keep WordPress core, themes, and all plugins up to date to protect against future vulnerabilities.

Generated by OpenCVE AI on April 13, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Razorpay
Razorpay razorpay For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Razorpay
Razorpay razorpay For Woocommerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2.
Title WordPress Razorpay for WooCommerce plugin <= 4.8.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Razorpay Razorpay For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.954Z

Reserved: 2026-04-07T10:57:53.260Z

Link: CVE-2026-39656

cve-icon Vulnrichment

Updated: 2026-04-13T18:19:15.763Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:36.717

Modified: 2026-04-24T18:06:04.160

Link: CVE-2026-39656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:49Z

Weaknesses