Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation.

This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7.
Published: 2026-05-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass that lets an attacker use an alternate path or channel to trigger the password recovery process without proper authentication. By exploiting this flaw, an attacker can reset a WordPress user’s password, gain the same level of access as that user, and potentially compromise the entire site. The weakness maps to CWE‑288 Authentication Bypass.

Affected Systems

ThemeHigh’s Stripe Payment Gateway for WooCommerce plugin, versions from the initial release through 5.0.7, is affected. Any WordPress site that has this plugin installed within that version range is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely through the web interface via the password recovery endpoint, which is reachable by unauthenticated users; an attacker could exploit it remotely without needing credentials. Because the flaw allows password reset for any account, the potential impact is full access to authenticated accounts and the site.

Generated by OpenCVE AI on May 25, 2026 at 23:22 UTC.

Remediation

Vendor Solution

Update the WordPress Stripe Payment Gateway for WooCommerce Plugin to the latest available version (at least 5.0.8).

OpenCVE Recommended Actions

  • Update the WordPress Stripe Payment Gateway for WooCommerce plugin to version 5.0.8 or later.
  • Disable the password recovery feature for accounts that do not require it, or enable multi‑factor authentication for WordPress login.
  • Review the site’s authentication configuration to ensure that no alternate path permits credential reset for unauthenticated users.

Generated by OpenCVE AI on May 25, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation. This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7.
Title WordPress Stripe Payment Gateway for WooCommerce plugin <= 5.0.7 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-26T10:50:41.696Z

Reserved: 2026-05-11T14:11:52.757Z

Link: CVE-2026-45217

cve-icon Vulnrichment

Updated: 2026-05-26T10:50:37.169Z

cve-icon NVD

Status : Received

Published: 2026-05-25T23:16:33.570

Modified: 2026-05-25T23:16:33.570

Link: CVE-2026-45217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T23:30:26Z

Weaknesses