{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39656", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:53.260Z", "datePublished": "2026-04-08T08:30:36.077Z", "dateUpdated": "2026-04-08T08:30:36.077Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woo-razorpay", "product": "Razorpay for WooCommerce", "vendor": "Razorpay", "versions": [{"lessThanOrEqual": "4.8.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:39.965Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2.</p>"}], "value": "Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:36.077Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woo-razorpay/vulnerability/wordpress-razorpay-for-woocommerce-plugin-4-8-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Razorpay for WooCommerce plugin <= 4.8.2 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2."}], "id": "CVE-2026-39656", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:36.717", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woo-razorpay/vulnerability/wordpress-razorpay-for-woocommerce-plugin-4-8-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Razorpay for WooCommerce", "source": "cna", "vendor": "Razorpay"}, "product": "razorpay_for_woocommerce", "vendor": "razorpay"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:04:42.336166+00:00", "value": {"mitigation_remediation": ["Upgrade the Razorpay for WooCommerce plugin to a release newer than 4.8.2", "Restrict the plugin\u2019s administrative functionality to trusted users and review or remove unnecessary privileged roles", "Ensure WordPress core and the WooCommerce plugin are updated to the latest supported versions to reduce the attack surface"], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This vulnerability impacts the Razorpay for WooCommerce plugin used on WordPress sites. All installations running versions up to and including 4.8.2 are vulnerable; the problem arises in the plugin\u2019s handling of security roles and does not depend on a specific WordPress version or hosting environment.", "description_and_impact": "Missing authorization in the Razorpay for WooCommerce WordPress plugin allows attackers to bypass intended access controls and perform privileged actions such as modifying payment settings or order data. Because the flaw is a pure access\u2011control issue (CWE\u2011862), the primary impact is privilege escalation within the WordPress site.", "risk_and_exploitability": "No EPSS or KEV data are available, so the exact likelihood of exploitation cannot be quantified. The attack vector is highly probable because the flaw is reachable via standard HTTP requests that a regular visitor can trigger if the plugin\u2019s admin pages or endpoints are exposed. An attacker who exploits this flaw can elevate privileges to perform administrative actions within the plugin, potentially compromising payment processing or altering order data, making the severity high or even critical. The absence of an official patch or workaround underscores the urgency of upgrading the plugin to a safe version."}}}}, "created": "2026-04-08T19:28:17.365519+00:00", "updated": "2026-04-08T19:41:20.314641+00:00", "vendors": ["razorpay", "razorpay$PRODUCT$razorpay_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}