WordPress Plugin Vulnerabilities

Payday <= 3.3.18 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
payday
No known fix

References

CVE
CVE-2025-31876
URL
https://patchstack.com/database/wordpress/plugin/payday/vulnerability/wordpress-payday-plugin-3-3-12-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Kévin Mosbahi (Mika)
Verified
No
WPVDB ID
4669465e-9568-4d0a-9d45-0b1362b2b0ed

Timeline

Publicly Published
2025-04-03 (about 1 year ago)
Added
2025-04-08 (about 11 months ago)
Last Updated
2025-06-26 (about 9 months ago)

Other

Published
Title
Published
2025-03-27
Title
King Addons for Elementor < 24.12.59 - Missing Authorization
Published
2024-05-09
Title
MC Woocommerce Wishlist < 1.7.9 - Missing Authorization
Published
2024-12-23
Title
WC Price History for Omnibus < 2.1.4 - Missing Authorization
Published
2023-12-26
Title
Sirv < 7.1.3 - Missing Authorization via sirv_disconnect
Published
2025-05-16
Title
EventON < 2.4.5 - Missing Authorization