Description
Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal WP EasyPay allows Cross Site Request Forgery.

This issue affects WP EasyPay: from n/a through 4.4.0.
Published: 2026-06-18
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP EasyPay plugin, up to version 4.4.0, contains a CSRF flaw that allows an attacker to trick a logged‑in user into performing privileged operations without the user's intent. This weakness, classified as CWE‑352, can lead to the unauthorized execution of payment processing or other sensitive actions within the plugin.

Affected Systems

WordPress sites that have installed Saad Iqbal’s WP EasyPay plugin version 4.4.0 or earlier are affected. Site administrators who have not upgraded beyond 4.4.0 expose their sites to this vulnerability.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate‑to‑high severity issue. The EPSS value is not available, so the likelihood of exploitation cannot be quantified from that metric, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need to target a user with a valid authenticated session, typically an administrator, and exploit the plugin’s web interface. With proper authentication and the ability to visit the plugin’s administrative pages, an attacker can craft a request that the plugin will accept as legitimate.

Generated by OpenCVE AI on June 18, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP EasyPay to the latest version (greater than 4.4.0) or remove the plugin if an update is not available.
  • Ensure that the plugin uses WordPress nonce protection for all state‑changing requests and that POST actions are guarded by valid CSRF tokens.
  • Implement HTTPS site-wide, enforce secure cookies, and restrict plugin access to trusted administrators, optionally adding two‑factor authentication for admin accounts.

Generated by OpenCVE AI on June 18, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Saad Iqbal
Saad Iqbal wp Easypay
Wordpress
Wordpress wordpress
Vendors & Products Saad Iqbal
Saad Iqbal wp Easypay
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal WP EasyPay allows Cross Site Request Forgery. This issue affects WP EasyPay: from n/a through 4.4.0.
Title WordPress WP EasyPay plugin <= 4.4.0 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Saad Iqbal Wp Easypay
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-18T17:24:38.570Z

Reserved: 2026-06-18T14:37:29.429Z

Link: CVE-2026-56024

cve-icon Vulnrichment

Updated: 2026-06-18T17:24:35.808Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:14Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)