WordPress Plugin Vulnerabilities

WooPayments < 10.6.0 - Unauthenticated Plugin Settings Update

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function. This makes it possible for unauthenticated attackers to update plugin settings.

Affects Plugins

Plugin icon
woocommerce-payments
Fixed in 10.6.0

References

CVE
CVE-2026-1710
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cec13225-baa3-4f26-b2d2-af6106888c74

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
262b9a2e-1035-45f1-a67b-1bad114a4623

Timeline

Publicly Published
2026-03-30 (about 1 month ago)
Added
2026-03-30 (about 1 month ago)
Last Updated
2026-05-11 (about 1 day ago)

Other

Published
Title
Published
2025-12-31
Title
Appender <= 1.1.1 - Missing Authorization
Published
2025-12-04
Title
Webcake – Landing Page Builder < 1.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2024-06-07
Title
CF7 Google Sheets Connector < 5.0.10 - Missing Authorization to Limited Site Configuration Update
Published
2025-07-16
Title
Chatbox Manager < 1.2.6 - Missing Authorization
Published
2025-09-17
Title
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages < 3.4.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Installation