Description
Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The identified flaw allows an unauthenticated attacker to bypass payment authorization and trigger transactions without proper validation. As a result, the attacker could process fraudulent payments, diverting funds and causing financial loss. This weakness maps to CWE‑472, a lack of integrity checks in the payment workflow.

Affected Systems

The vulnerability exists in WPManageNinja’s Best Payments Plugin for WP for all releases up to and including version 4.6.19. The vendor recommends upgrading to version 4.6.20 or later to address the bypass. Administrators should review installations of this plugin to confirm the affected version is in use.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity with potential impact on confidentiality, integrity, and availability of the payment system. The EPSS score being below 1 % suggests current exploitation likelihood is low, and the issue is not listed in CISA’s KEV catalog. Nonetheless, the unauthenticated nature of the vulnerability implies that an attacker could submit crafted requests to the payment endpoint, likely over the web, to exploit the bypass without any credentials. Early mitigation is therefore advised.

Generated by OpenCVE AI on June 18, 2026 at 00:46 UTC.

Remediation

Vendor Solution

Update the WordPress Best Payments Plugin for WP Plugin to the latest available version (at least 4.6.20).


OpenCVE Recommended Actions

  • Upgrade the Best Payments Plugin for WP to the latest version, at least 4.6.20, which contains the payment validation fix.
  • If the plugin is not immediately upgradeable, restrict access to the payment form to authenticated users only, ensuring that the bypass path cannot be reached by external actors.
  • Continuously monitor transaction logs for irregular or unauthorized payment attempts and, if needed, temporarily disable the payment functionality until the patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmanageninja
Wpmanageninja best Payments Plugin For Wp
Vendors & Products Wordpress
Wordpress wordpress
Wpmanageninja
Wpmanageninja best Payments Plugin For Wp

Tue, 16 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions.
Title WordPress Best Payments Plugin for WP plugin <= 4.6.19 - Payment Bypass vulnerability
Weaknesses CWE-472
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Wordpress Wordpress
Wpmanageninja Best Payments Plugin For Wp
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:30:46.983Z

Reserved: 2026-04-29T09:04:43.153Z

Link: CVE-2026-42655

cve-icon Vulnrichment

Updated: 2026-06-15T22:30:41.682Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:55.100

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:13Z

Weaknesses
  • CWE-472

    External Control of Assumed-Immutable Web Parameter