WordPress Plugin Vulnerabilities

Mollie Payments for WooCommerce < 8.0.3 - Unauthenticated Insecure Direct Object Reference

Description

The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.0.2 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
mollie-payments-for-woocommerce
Fixed in 8.0.3

References

CVE
CVE-2025-39362
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7dfc419d-dc45-43f2-8899-0181523180ba

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
37016023-7351-4218-87f8-35e5a9283610

Timeline

Publicly Published
2025-06-26 (about 10 months ago)
Added
2025-07-01 (about 10 months ago)
Last Updated
2025-07-08 (about 10 months ago)

Other

Published
Title
Published
2023-06-12
Title
Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API
Published
2026-05-01
Title
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.26 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion
Published
2024-04-04
Title
LearnPress < 4.2.6.4 - Insecure Direct Object Reference
Published
2024-06-28
Title
Page and Post Clone < 6.1 - Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure
Published
2024-12-03
Title
LA-Studio Element Kit for Elementor < 1.4.5 - Authenticated (Contributor+) Post Disclosure