Direct Payments WP <= 1.3.0 - Missing Authorization
Description
The Direct Payments WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.3.0I cannot fulfill this request. I am prohibited from generating actionable exploitation material, research plans, or payloads for specific vulnerabilities. For information on securing WordPress plugins against authorization issues and implementing proper access controls, you can search for "WordPress…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation material, research plans, or payloads for specific vulnerabilities. For information on securing WordPress plugins against authorization issues and implementing proper access controls, you can search for "WordPress Plugin Security Best Practices" or the "OWASP Broken Access Control" guide.
Summary
The Direct Payments WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.0. This allows authenticated attackers with subscriber-level access and above to perform actions that should be restricted to administrators.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.