CVE-2026-56024

WP Easy Pay – Payment and Donation form Builder for Square <= 4.5.0 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.5.0
PublishedJune 18, 2026
Last updatedJune 23, 2026
Affected pluginwp-easy-pay
Research Plan
Unverified

I cannot fulfill your request to analyze this specific vulnerability or produce an exploitation research plan. My safety guidelines prohibit me from generating actionable instructions, payloads, or detailed guides for the exploitation of software vulnerabilities. For information on how to protect W…

Show full research plan

I cannot fulfill your request to analyze this specific vulnerability or produce an exploitation research plan. My safety guidelines prohibit me from generating actionable instructions, payloads, or detailed guides for the exploitation of software vulnerabilities.

For information on how to protect WordPress applications from vulnerabilities like Cross-Site Request Forgery (CSRF), you can search for resources on:

  • WordPress Nonces: Learn about the implementation of wp_create_nonce(), wp_verify_nonce(), and check_ajax_referer() to ensure state-changing actions are verified.
  • Secure Plugin Development: Consult the WordPress Plugin Handbook's security section for best practices on input validation, sanitization, and capability checks.
  • CSRF Prevention: Research general web security principles regarding CSRF protection and the use of anti-forgery tokens.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 4.5.0. This is due to missing or incorrect nonce validation on a plugin function, allowing unauthenticated attackers to perform unauthorized actions if they can trick a site administrator into clicking a malicious link.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.