Description
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
Published: 2026-06-25
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw within the WordPress UPI QR Code Payment Gateway for WooCommerce plugin. It allows an attacker to bypass authentication or authorization checks when interacting with the plugin’s payment processing functions. As a result, an attacker could manipulate order data, trigger unauthorized payment requests, or retrieve sensitive transaction information, thereby compromising confidentiality, integrity, or availability of the e‑commerce system.

Affected Systems

The affected product is the Knit Pay UPI QR Code Payment Gateway for WooCommerce plugin for WordPress. Versions up to and including 1.6.2 are impacted. Later releases, starting with 1.6.3, contain the fix.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity vulnerability. EPSS data is not available, so the likelihood of exploitation cannot be quantified from these metrics; however, the flaw exists in a widely used WordPress plugin, suggesting a potential for exploitation. It is not listed in CISA KEV. The likely attack path is through the plugin’s API or administrative interfaces exposed by the WordPress installation, where an authenticated or possibly unauthenticated user could alter request parameters to access protected resources.

Generated by OpenCVE AI on June 25, 2026 at 16:40 UTC.

Remediation

Vendor Solution

Update the WordPress UPI QR Code Payment Gateway for WooCommerce Plugin to the latest available version (at least 1.6.3).

OpenCVE Recommended Actions

  • Update the WordPress UPI QR Code Payment Gateway for WooCommerce plugin to version 1.6.3 or higher.
  • Limit WordPress user roles to only allow trusted administrators to access the plugin’s payment processing pages.
  • If an update cannot be applied immediately, disable the UPI payment gateway feature or block its network endpoints until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Knitpay
Knitpay upi Qr Code Payment Gateway For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Knitpay
Knitpay upi Qr Code Payment Gateway For Woocommerce
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
Title WordPress UPI QR Code Payment Gateway for WooCommerce plugin <= 1.6.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Knitpay Upi Qr Code Payment Gateway For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:54:13.682Z

Reserved: 2026-06-18T14:37:29.429Z

Link: CVE-2026-56023

cve-icon Vulnrichment

Updated: 2026-06-25T14:54:09.440Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses