WordPress Plugin Vulnerabilities

Peach Payments Gateway < 3.2.0 - Missing Authorization via peach_core_version_rollback()

Description

The Peach Payments Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the peach_core_version_rollback() function in versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to rollback the plugin's version.

Affects Plugins

Plugin icon
wc-peach-payments-gateway
Fixed in 3.2.0

References

CVE
CVE-2024-25922
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3152208e-e4f7-4f48-b6a1-05a656d9c826

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
96ce6fb2-b7ce-46a8-b24c-3a17c09e5005

Timeline

Publicly Published
2024-02-14 (about 2 years ago)
Added
2024-02-20 (about 2 years ago)
Last Updated
2024-02-20 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
PilotPress <= 2.0.36 - Missing Authorization
Published
2025-06-25
Title
Post Carousel Slider for Elementor < 1.7.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function
Published
2024-12-12
Title
Arabic Webfonts <= 1.4.6 - Missing Authorization
Published
2025-01-24
Title
Print Barcode Labels for your WooCommerce products/orders < 3.4.11 - Missing Authorization
Published
2024-06-11
Title
InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation