The iPOSpays Gateways WC plugin for WordPress contains a REST API endpoint /wp-json/ipospays/v1/save_settings that is configured with a permission callback returning true, effectively exposing the endpoint to all callers without any authorization checks or nonce verification. This flaw allows an unauthenticated actor to modify the entire settings object of the plugin, overwriting critical values such as live API keys, secret keys, and payment tokens stored in the woocommerce_ipospays_settings option. With these values under attacker control, the compromised site could route legitimate payment traffic through malicious endpoints, siphon funds, or inject fraudulent charges.

WordPress sites using the iPOSpays Gateways WC plugin version 1.3.7 or older are impacted. The vulnerability is present in all releases up to and including 1.3.7 of the plugin, and it directly affects the payment gateway settings stored by the plugin. No specific WordPress core or other plugins are required to be vulnerable other than the presence of the affected plugin.

The CVSS base score of 5.3 indicates a moderate severity for this missing authorization issue. Because the REST endpoint is openly accessible without authentication or nonce protection, an attacker only needs to send a simple HTTP request to the endpoint; no additional privileges are required. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the absence of authentication makes exploitation straightforward for anyone with network access to the site.