WP-Safety
CVE-2026-39650

UnitechPay <= 1.0.2 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The UnitechPay plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.2
PublishedFebruary 15, 2026
Last updatedApril 15, 2026
Affected pluginunitechpay-paiements-mobile-money
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-39650 (UnitechPay) ## 1. Vulnerability Summary The **UnitechPay – Wave & Orange Money Payments** plugin (versions <= 1.0.2) contains a **Missing Authorization** vulnerability. This typically occurs when a sensitive function (e.g., saving settings, updating ord…

Show full research plan

Exploitation Research Plan: CVE-2026-39650 (UnitechPay)

1. Vulnerability Summary

The UnitechPay – Wave & Orange Money Payments plugin (versions <= 1.0.2) contains a Missing Authorization vulnerability. This typically occurs when a sensitive function (e.g., saving settings, updating order statuses, or exporting data) is hooked to admin_init, wp_ajax_, or wp_ajax_nopriv_ but lacks a call to current_user_can().

Because admin_init is triggered when accessing wp-admin/admin-ajax.php (even for unauthenticated users), any logic inside an admin_init hook that processes $_POST data without a capability check is reachable by unauthenticated attackers.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php (or any admin-area URL if admin_init is used).
  • HTTP Method: POST
  • Payload Parameters: Inferred parameters related to plugin settings (e.g., unitechpay_merchant_id, unitechpay_secret_key) or order status updates.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. If the vulnerability is in settings modification, no specific content is needed. If it's in order status modification, a WooCommerce order must exist.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to /wp-admin/admin-ajax.php.
  2. Hook Trigger: WordPress core initializes and fires the admin_init hook.
  3. Execution: The plugin's vulnerable function (e.g., unitechpay_save_settings or up_process_actions) is executed because it is registered via add_action( 'admin_init', ... ).
  4. Logic: The function checks if specific $_POST keys exist.
  5. Missing Check: The function fails to verify current_user_can( 'manage_options' ).
  6. Sink: The function calls update_option() or $wpdb->update() using the attacker-supplied values.

4. Nonce Acquisition Strategy

If the vulnerable function also performs a nonce check (e.g., check_admin_referer or check_ajax_referer) but still lacks authorization, the nonce must be obtained.

  1. Find the Nonce Key: Search the codebase for wp_create_nonce or wp_localize_script.
  2. Identify the Variable: Look for a pattern like:
    wp_localize_script( 'unitechpay-admin-js', 'unitechpay_obj', [
    'nonce' => wp_create_nonce( 'unitechpay_action' )
]);
  3. Extraction:
    • Use wp post create to create a page with any shortcode provided by the plugin (check add_shortcode).
    • Navigate to the page using browser_navigate.
    • Execute browser_eval("window.unitechpay_obj?.nonce") to extract the token.
  4. Note: If the check is in admin_init, it often lacks nonces entirely or uses one that is leaked in the admin dashboard (which might require a low-privileged account if not leaked on the frontend).

5. Exploitation Strategy

Step 1: Identification

Search the plugin for the vulnerable hook:

grep -rnE "add_action\s*\(\s*['\"](admin_init|wp_ajax_nopriv_|init)" wp-content/plugins/unitechpay-paiements-mobile-money/

Look for functions that handle $_POST or $_GET and update settings.

Step 2: Crafting the Payload

If the vulnerability is a settings overwrite in admin_init:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: unitechpay_merchant_id=ATTACKER_ID&unitechpay_secret_key=ATTACKER_SECRET&save_settings=1 (Exact keys must be confirmed from source).

Step 3: Execution

Use the http_request tool to send the payload.

6. Test Data Setup

  1. Activate Plugin: wp plugin activate unitechpay-paiements-mobile-money
  2. Identify Options: Determine what options the plugin uses (e.g., wp option list | grep unitechpay).
  3. Create Order (Optional): If the vulnerability affects order statuses:
    • Install WooCommerce: wp plugin install woocommerce --activate
    • Create a product and a dummy order.

7. Expected Results

  • Success: The HTTP response returns a 200 OK or 302 Redirect.
  • Impact: The targeted WordPress options (e.g., merchant credentials) are changed to the values provided in the payload.

8. Verification Steps

After the exploit, verify the state using WP-CLI:

# Check if merchant ID was changed
wp option get unitechpay_merchant_id

# Check if secret key was changed
wp option get unitechpay_secret_key

9. Alternative Approaches

If admin_init is not the entry point, investigate wp_ajax_nopriv_ actions:

  1. List all nopriv actions:
    grep -rn "wp_ajax_nopriv_" wp-content/plugins/unitechpay-paiements-mobile-money/
  2. For each action, check the callback function for current_user_can.
  3. If a callback is found without a check, attempt to trigger it via:
    POST /wp-admin/admin-ajax.php?action=[ACTION_NAME]
    with the required parameters.
Research Findings
Static analysis — not yet PoC-verified

Summary

The UnitechPay plugin for WordPress is vulnerable to unauthorized access and configuration changes in versions up to 1.0.2. This is due to a missing capability check on a function hooked to admin_init, which allows unauthenticated attackers to modify plugin settings by sending crafted POST requests to the admin-ajax.php endpoint.

Exploit Outline

The vulnerability is exploited by sending an unauthenticated POST request to /wp-admin/admin-ajax.php. This endpoint triggers the WordPress admin_init hook for all requests. Because the plugin's configuration-handling logic is hooked to admin_init without a call to current_user_can('manage_options'), an attacker can overwrite plugin settings (such as unitechpay_merchant_id or unitechpay_secret_key) by including them as parameters in the POST body. If the function also lacks a nonce check, no authentication or prior session is required.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d8cacd78-df1d-4c63-b051-3e02c45671cd?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database