What the vulnerability does
01Description
The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.
Explanation of Vulnerability in Simple Terms
02Summary
The MORKVA Vchasno Kasa Integration plugin through version 1.0.3 lacks proper authorization checks on sensitive operations. An unauthenticated attacker can read limited data without valid credentials. The vulnerability requires only network access and no user interaction. Update to a version newer than 1.0.3 to remediate.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the integration without authentication.
Potential impact on your site
04Site Impact
Unauthorized users can access sensitive information exposed by the integration.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
July 19, 2025
CVE published
April 8, 2026
Record updated