CVE-2026-1710 MEDIUM

CVE-2026-1710: WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax

Vendor Woocommerce
Product WooPayments: Integrated WooCommerce Payments
Weakness CWE-285
Published March 31, 2026
Last update May 12, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.

Explanation of Vulnerability in Simple Terms

02Summary

WooPayments versions up to 10.5.1 contain an integrity and availability vulnerability accessible over the network without authentication. An attacker can modify data or disrupt service availability. The exact attack vector is unclear due to incomplete CWE classification. Update to a version newer than 10.5.1 immediately.

What an attacker can do

03Attacker Capabilities

Modify payment or order data, or disrupt WooPayments service availability without logging in.

Potential impact on your site

04Site Impact

Payment data integrity compromised and potential service disruption affecting customer transactions.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 31, 2026 CVE published
May 12, 2026 Record updated