{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39643", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:32.373Z", "dateUpdated": "2026-04-08T08:30:32.373Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pymntpl-paypal-woocommerce", "product": "Payment Plugins for PayPal WooCommerce", "vendor": "Payment Plugins", "versions": [{"lessThanOrEqual": "2.0.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.722Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.</p>"}], "value": "Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:32.373Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pymntpl-paypal-woocommerce/vulnerability/wordpress-payment-plugins-for-paypal-woocommerce-plugin-2-0-13-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Payment Plugins for PayPal WooCommerce plugin <= 2.0.13 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13."}], "id": "CVE-2026-39643", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:35.077", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/pymntpl-paypal-woocommerce/vulnerability/wordpress-payment-plugins-for-paypal-woocommerce-plugin-2-0-13-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Payment Plugins for PayPal WooCommerce", "source": "cna", "vendor": "Payment Plugins"}, "product": "payment_plugins_for_paypal_woocommerce", "vendor": "payment_plugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:46:32.526350+00:00", "value": {"mitigation_remediation": ["Upgrade Payment Plugins for PayPal WooCommerce to version 2.0.14 or newer", "Verify that all WordPress user accounts have appropriate capabilities and revoke any excessive permissions", "Consider disabling or uninstalling the plugin if it is not required for your site", "Audit the plugin configuration to ensure that payment settings are not exposed to unauthorized users"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Payment Plugins for PayPal WooCommerce plugin installed at any version up through 2.0.13 are affected. The issue is tied to the Payments Plugins suite\u2019s integration module for PayPal on WooCommerce. No further version detail is provided beyond the stated maximum.", "description_and_impact": "The vulnerability is a missing authorization flaw in Payment Plugins for PayPal WooCommerce. Inadequate access control levels allow users to perform actions beyond their intended rights. The weakness is classified as CWE\u2011862, a failure to enforce proper user permissions. Based on the description, it is inferred that an attacker who exploits this issue could modify payment configuration settings or gain access to sensitive data stored by the plugin.", "risk_and_exploitability": "The CVSS score is not available, but the missing authorization nature suggests a potentially high impact if an attacker can reach the vulnerable code. The EPSS score is not listed, and the vulnerability is not included in the CISA KEV catalog, implying it may not yet be widely exploited. The likely attack vector is inferred to be web\u2011based, requiring an HTTP request that bypasses the plugin\u2019s permission checks, possibly accessed through the WordPress administrative interface or a crafted URL. If successfully exploited, the attacker might gain elevated privileges to alter payment settings or access sensitive information."}}}}, "created": "2026-04-08T19:28:28.440214+00:00", "updated": "2026-04-08T19:41:32.945398+00:00", "vendors": ["payment_plugins", "payment_plugins$PRODUCT$payment_plugins_for_paypal_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}