Description
Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated bypass vulnerability exists in the WordPress Stripe Payments plugin versions up to and including 2.0.98. The flaw allows an attacker to bypass intended access controls, enabling them to perform actions normally restricted to authenticated users. The weakness is categorized as CWE-440, indicating an omission of output restrictions that can be exploited to compromise authorization logic, potentially leading to unauthorized payments or data manipulation.

Affected Systems

The vulnerability affects the WordPress Stripe Payments plugin (Team Tips and Tricks HQ:Stripe Payments) at versions 2.0.98 and earlier. No additional product or vendor variants are listed.

Risk and Exploitability

The CVSS score is 6.5, reflecting a moderate severity impact. The EPSS score is below 1%, indicating a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, unauthenticated, exploiting the plugin's access control logic to trigger unauthorized actions.

Generated by OpenCVE AI on June 18, 2026 at 00:41 UTC.

Remediation

Vendor Solution

Update the WordPress Stripe Payments Plugin to the latest available version (at least 2.0.99).


OpenCVE Recommended Actions

  • Bring the WordPress Stripe Payments Plugin to version 2.0.99 or newer on all sites that use it.
  • Until the plugin is updated, restrict the plugin’s functionality or limit access to it by disabling the plugin on public‑facing pages or using role‑based access controls to ensure only administrators can invoke payment processing.
  • After applying the update, review site logs for signs of unauthorized attempts to trigger payment actions and treat any suspicious activity as a potential exploitation.

Generated by OpenCVE AI on June 18, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mra13 / Team Tips And Tricks Hq
Mra13 / Team Tips And Tricks Hq stripe Payments
Wordpress
Wordpress wordpress
Vendors & Products Mra13 / Team Tips And Tricks Hq
Mra13 / Team Tips And Tricks Hq stripe Payments
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.
Title WordPress Stripe Payments plugin <= 2.0.98 - Bypass Vulnerability vulnerability
Weaknesses CWE-440
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Mra13 / Team Tips And Tricks Hq Stripe Payments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:23:21.946Z

Reserved: 2026-04-29T09:05:35.592Z

Link: CVE-2026-42752

cve-icon Vulnrichment

Updated: 2026-06-16T01:23:17.424Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:57.240

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:02Z

Weaknesses
  • CWE-440

    Expected Behavior Violation