WordPress Plugin Vulnerabilities

PayU CommercePro Plugin < 3.8.8 - Authentication Bypass

Description

The plugin is vulnerable to Authentication Bypass due to the plugin not properly verifying a user's identity through the update_cart_data() function. This makes it possible for unauthenticated attackers to log in as an administrator.

Affects Plugins

Plugin icon
payu-india
Fixed in 3.8.8

References

CVE
CVE-2025-31022
URL
https://patchstack.com/database/wordpress/plugin/payu-india/vulnerability/wordpress-payu-india-plugin-3-8-5-account-takeover-vulnerability

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
b4fce237-c1bb-4969-b428-23feec47740a

Timeline

Publicly Published
2025-06-05 (about 1 year ago)
Added
2025-06-11 (about 1 year ago)
Last Updated
2025-07-04 (about 11 months ago)

Other

Published
Title
Published
2024-06-19
Title
Lifeline Donation <= 1.2.6 - Authentication Bypass
Published
2014-08-01
Title
WP Symposium <= 12.07.07 - Authentication Bypass
Published
2016-06-06
Title
OneLogin SAML SSO <= 2.1.5 - Authentication Bypass
Published
2021-07-19
Title
Profile Builder < 3.4.9 - Admin Access via Password Reset
Published
2015-03-04
Title
Ya'aburnee 1.0.7 - Privilage Escalation