Impact
An unauthenticated broken access control flaw exists in the WordPress Redsys for WooCommerce Light plugin versions 7.0.0 and earlier. The vulnerability allows an attacker who does not possess administrator credentials to access privileged endpoints and perform actions normally restricted to authorized users. This can lead to unauthorized manipulation of the plugin’s configuration, potentially affecting payment processing or other sensitive functions. The flaw is rooted in improper enforcement of access control checks (CWE‑862).
Affected Systems
WordPress sites that have installed the Redsys for WooCommerce Light plugin by Jose Conti, specifically any version 7.0.0 or older. The vendor name is Jose Conti and the product is the Redsys for WooCommerce Light plugin.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through the web interface where unauthenticated requests to the plugin’s protected endpoints can trigger the broken access control. If exploited, an attacker could gain administrative privileges over the plugin, alter settings, or potentially interfere with payment processing.
OpenCVE Enrichment