Impact
The vulnerability is an unauthenticated broken access control flaw in the WordPress Knit Pay plugin versions 9.4.0.0 and earlier. An attacker who can reach the plugin’s endpoints can perform any privileged administrative operation, such as modifying payment settings, viewing or deleting transaction records, or injecting arbitrary content. This weakness is identified as CWE‑862 and enables an attacker to gain full control over the plugin’s functionality without authentication.
Affected Systems
WordPress sites that have the Knit Pay plugin installed in version 9.4.0.0 or older are affected. The vulnerability does not influence other WordPress plugins or the core WordPress installation.
Risk and Exploitability
The likely attack vector is a remote unauthenticated HTTP request that reaches the plugin’s endpoints. The CVSS score of 7.5 signifies a high severity issue. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw is unauthenticated and the plugin is typically accessible to anyone who can reach the site, the attack surface is wide, so immediate patching is recommended to mitigate the risk before a publicly available exploit appears.
OpenCVE Enrichment