{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1710", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-30T18:02:31.773Z", "datePublished": "2026-03-31T04:25:32.434Z", "dateUpdated": "2026-03-31T04:25:32.434Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-31T04:25:32.434Z"}, "affected": [{"vendor": "woocommerce", "product": "WooPayments: Integrated WooCommerce Payments", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "10.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings."}], "title": "WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cec13225-baa3-4f26-b2d2-af6106888c74?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-payments/tags/10.4.0/includes/class-wc-payment-gateway-wcpay.php#L4125"}, {"url": "https://plugins.trac.wordpress.org/changeset/3480315/woocommerce-payments/trunk/includes/class-wc-payment-gateway-wcpay.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-01-30T18:19:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-30T16:13:16.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings."}], "id": "CVE-2026-1710", "lastModified": "2026-03-31T05:16:10.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-31T05:16:10.690", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-payments/tags/10.4.0/includes/class-wc-payment-gateway-wcpay.php#L4125"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3480315/woocommerce-payments/trunk/includes/class-wc-payment-gateway-wcpay.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cec13225-baa3-4f26-b2d2-af6106888c74?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.5.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WooPayments: Integrated WooCommerce Payments", "source": "cna", "vendor": "woocommerce"}, "product": "woopayments:_integrated_woocommerce_payments", "vendor": "woocommerce"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T07:50:18.455593+00:00", "value": {"mitigation_remediation": ["Update the WooPayments plugin to version 10.5.2 or later", "Verify that the plugin version on your site exceeds 10.5.1", "Check the WordPress Plugin Repository or WooCommerce\u2019s site for the latest update"], "summary": {"action": "Patch immediately", "impact": "Unauthorized modification of WooPayments plugin settings"}, "threat_synthesis": {"affected_systems": "All WordPress installations that utilize the WooPayments Integrated WooCommerce Payments plugin with a version equal to or older than 10.5.1 are vulnerable. The issue exists in every copy of the plugin containing the save_upe_appearance_ajax routine.", "description_and_impact": "The Integrated WooCommerce Payments plugin for WordPress contains a missing capability check in the save_upe_appearance_ajax function, allowing any user to send a request to this endpoint and alter the plugin\u2019s configuration. This flaw permits an attacker to change payment gateway options or other settings, potentially redirecting funds, disabling essential payment features, and compromising the integrity of the site\u2019s checkout flow.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is an unauthenticated AJAX request to the save_upe_appearance_ajax endpoint; based on the description, it is inferred that no prior site compromise is required to exploit the flaw."}}}}, "created": "2026-03-31T19:56:16.581702+00:00", "updated": "2026-03-31T20:39:31.637065+00:00", "vendors": ["woocommerce", "woocommerce$PRODUCT$woopayments:_integrated_woocommerce_payments", "wordpress", "wordpress$PRODUCT$wordpress"]}