What the vulnerability does
01Description
Missing Authorization vulnerability in Digages Direct Payments WP direct-payments-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Direct Payments WP: from n/a through <= 1.3.2.
Explanation of Vulnerability in Simple Terms
02Summary
Direct Payments WP versions 1.3.2 and earlier lack proper authorization checks, allowing authenticated users with low privileges to modify payment data they should not access. An attacker with a basic user account can alter transaction records or payment settings without administrative approval. This affects the integrity of payment records but does not expose sensitive data or disrupt service availability.
What an attacker can do
03Attacker Capabilities
Modify payment records or settings with a low-privilege user account.
Potential impact on your site
04Site Impact
Payment data integrity is at risk; unauthorized users can alter transaction records or payment configuration.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
December 31, 2025
CVE published
April 28, 2026
Record updated