What the vulnerability does
01Description
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.
Explanation of Vulnerability in Simple Terms
02Summary
WooPayments versions up to 10.5.1 contain an integrity and availability vulnerability accessible over the network without authentication. An attacker can modify data or disrupt service availability. The exact attack vector is unclear due to incomplete CWE classification. Update to a version newer than 10.5.1 immediately.
What an attacker can do
03Attacker Capabilities
Modify payment or order data, or disrupt WooPayments service availability without logging in.
Potential impact on your site
04Site Impact
Payment data integrity compromised and potential service disruption affecting customer transactions.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 31, 2026
CVE published
May 12, 2026
Record updated