CVE-2026-45209

MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce <= 2.161 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.162
Patched in
8d
Time to patch

Description

The MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.161. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.161
PublishedMay 12, 2026
Last updatedMay 19, 2026
Affected pluginmycryptocheckout

What Changed in the Fix

Changes introduced in v2.162

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

' ); data = atob( data ); data = jQuery.parseJSON( data ); return data; } ``` I'll have the agent use `browser_eval` to get this JSON. - Target URL: `/wp-admin/admin-ajax.php` - Action: `mycryptocheckout_cancel_payment` (inferred from `WooCommerce.php:129…

Show full research plan

' );
data = atob( data );
data = jQuery.parseJSON( data );
return data;
}
```
I'll have the agent use browser_eval to get this JSON.

- Target URL: `/wp-admin/admin-ajax.php`
- Action: `mycryptocheckout_cancel_payment` (inferred from `WooCommerce.php:129`)
- Param: `order_id`

Wait, if the vulnerability is actually `mcc_save_settings`, I should mention it. But the instructions say "GROUND your plan in the source files provided". `mycryptocheckout_cancel_payment` is in the source.

*Final Plan Structure:*
1.  Vulnerability Summary: Missing capability check in `mycryptocheckout_cancel_payment`.
2.  Attack Vector: AJAX endpoint.
3.  Code Flow: `WooCommerce::_construct` -> `add_action` -> `mycryptocheckout_cancel_payment`.
4.  Nonce: Extract from `#mycryptocheckout_checkout_data`.
5.  Payload: `action=mycryptocheckout_cancel_payment&order_id=X`.

Wait, I'll search for one more thing. Is there any `wp_ajax_nopriv` in the source?
No. It's likely in the parent class `\plainview

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.