WordPress Plugin Vulnerabilities

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management < 4.6.20 - Missing Authorization

Description

The Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.6.19. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
wp-payment-form
Fixed in 4.6.20

References

CVE
CVE-2026-42655
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e60cd9eb-5707-493d-8f3a-3d4160e14735

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Weerawat Pawanawiwat (ErbaZZ)
Verified
No
WPVDB ID
8cbeacea-17bb-4c71-a4fb-9e384bf8aff3

Timeline

Publicly Published
2026-04-29 (about 27 days ago)
Added
2026-05-04 (about 21 days ago)
Last Updated
2026-05-04 (about 21 days ago)

Other

Published
Title
Published
2024-12-02
Title
Church Admin < 5.0.9 - Missing Authorization
Published
2024-04-25
Title
XStore < 9.3.9 - Missing Authorization
Published
2024-02-14
Title
EventPrime – Events Calendar, Bookings and Tickets < 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Attendee List Retrieval
Published
2025-04-01
Title
Cue < 2.4.5 - Missing Authorization
Published
2024-08-09
Title
Persian WooCommerce < 9.0.0 - Missing Authorization