What the vulnerability does
01Description
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.
Explanation of Vulnerability in Simple Terms
02Summary
Frisbii Pay versions 1.8.9 and earlier lack proper authorization checks, allowing authenticated users to modify payment data they should not have access to. An attacker with a low-privilege account can change transaction details or payment settings without restriction. This affects the integrity of payment records but does not expose sensitive data or disrupt service availability.
What an attacker can do
03Attacker Capabilities
Modify payment records or settings belonging to other users or transactions.
Potential impact on your site
04Site Impact
Payment data integrity is at risk; unauthorized changes to transactions or payment configurations could occur.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege account on the system.
Key dates
06Disclosure timeline
June 27, 2026
CVE published
June 29, 2026
Record updated