CVE-2026-45209 - Vulnerability Details

- WordPress MyCryptoCheckout plugin <= 2.161 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects MyCryptoCheckout: from n/a through 2.161.

Published: 2026-05-25

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrectly configured access control level for the MyCryptoCheckout plugin. An unauthenticated or minimally privileged user can reach and modify sensitive administrative functions of the plugin, potentially exposing confidential transaction data or manipulating the checkout configuration. The weakness is identified as CWE-862, addressing improper access control.

Affected Systems

WordPress sites that have installed the MyCryptoCheckout plugin version 2.161 or earlier are impacted. The affected vendor is edward_plainview and the product is the MyCryptoCheckout plugin for WordPress. The vulnerability applies to all deployments of these versions without any custom hardening applied.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity. EPSS information is not available, so the current exploitation likelihood cannot be quantified, but the vulnerability remains enabled in all affected installations. The vulnerability is not listed in CISA KEV, yet its high score and the nature of credentialless privileged access mean that a determined attacker with network or endpoint exposure to the target site could abuse the flaw. The likely attack vector involves direct HTTP requests to administrative endpoints that are not protected by proper role checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

edward_plainview

MyCryptoCheckout

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 2.161

No data.

Vendor Product Confidence Versions

Edward Plainview

Mycryptocheckout

100%

Version	Status	Scheme	Platform
`[0,2.161]`	affected	generic	—
`[2.162,*]`	unaffected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update the WordPress MyCryptoCheckout Plugin to the latest available version (at least 2.162).

OpenCVE Recommended Actions

Upgrade the MyCryptoCheckout plugin to version 2.162 or later, which contains the vendor‑supplied fix for the missing authorization defect.
Delete any remaining files from older plugin versions to prevent accidental or malicious use of the vulnerable code.
Verify that admin pages of the checkout system are accessible only to users with the Administrator role, ensuring role‑based access controls are enforced at the application level.
If an immediate upgrade is not possible, apply server‑side restrictions (such as .htaccess rules or web–application firewall settings) to block non‑administrator access to the plugin’s administrative URLs.

Generated by OpenCVE AI on May 25, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/mycryptocheckout/vulnerability/wordpress-mycryptocheckout-plugin-2-161-broken-access-control-vulnerability?_s_id=cve

History

Tue, 26 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Edward Plainview Edward Plainview mycryptocheckout Wordpress Wordpress wordpress
Vendors & Products		Edward Plainview Edward Plainview mycryptocheckout Wordpress Wordpress wordpress

Tue, 26 May 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 25 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MyCryptoCheckout: from n/a through 2.161.
Title		WordPress MyCryptoCheckout plugin <= 2.161 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/wordpress/plugin/mycryptocheckout/vulnerability/wordpress-mycryptocheckout-plugin-2-161-broken-access-control-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Edward Plainview Mycryptocheckout

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-05-25T22:31:15.254Z

Updated: 2026-05-26T10:50:14.343Z

Reserved: 2026-05-11T14:11:52.756Z

Link: CVE-2026-45209

Vulnrichment

Updated: 2026-05-26T10:50:09.289Z

NVD

Status : Received

Published: 2026-05-25T23:16:33.320

Modified: 2026-05-25T23:16:33.320

Link: CVE-2026-45209

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T12:59:54Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object