CVE-2024-10938 MEDIUM

CVE-2024-10938: OVRI Payment 1.7.0 - Malicious .htaccess directive

Vendor Moneytigo
Product OVRI Payment
Weakness CWE-506
Published February 27, 2026
Last update February 27, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site.

Explanation of Vulnerability in Simple Terms

02Summary

OVRI Payment versions 1.7.0 and later contain a flaw that allows attackers to modify data or disrupt service availability. No authentication is required, and the attack can be performed over the network without user interaction. The vulnerability affects the integrity and availability of the payment system.

What an attacker can do

03Attacker Capabilities

Modify payment data or cause the service to become unavailable without authentication.

Potential impact on your site

04Site Impact

Payment transactions may be altered or the payment service may become unavailable to legitimate users.

Conditions required to exploit

05Prerequisites

Network access to the OVRI Payment system; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 27, 2026 CVE published
February 27, 2026 Record updated