{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27073", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-03-25T16:14:54.270Z", "dateUpdated": "2026-03-25T16:14:54.270Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "buy-now-pay-later-addi", "product": "Addi &#8211; Cuotas que se adaptan a ti", "vendor": "Addi", "versions": [{"lessThanOrEqual": "<= 2.0.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:19.840Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.<p>This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4.</p>"}], "value": "Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4."}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "Password Recovery Exploitation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:54.270Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/buy-now-pay-later-addi/vulnerability/wordpress-addi-cuotas-que-se-adaptan-a-ti-plugin-2-0-4-broken-authentication-vulnerability?_s_id=cve"}], "title": "WordPress Addi \u2013 Cuotas que se adaptan a ti plugin <= 2.0.4 - Broken Authentication vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4."}], "id": "CVE-2026-27073", "lastModified": "2026-03-25T17:16:54.793", "metrics": {}, "published": "2026-03-25T17:16:54.793", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/buy-now-pay-later-addi/vulnerability/wordpress-addi-cuotas-que-se-adaptan-a-ti-plugin-2-0-4-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:49:30.628503+00:00", "value": {"mitigation_remediation": ["Update the Addi \u2013 Cuotas que se adaptan a ti plugin to any version newer than 2.0.4.", "If an update is not available, disable or uninstall the plugin.", "Verify that no files on the server retain hard\u2011coded credentials related to the plugin."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the Addi \u2013 Cuotas que se adaptan a ti plugin installed at version 2.0.4 or earlier are affected.", "description_and_impact": "The vulnerability exists in the Addi \u2013 Cuotas que se adaptan a ti WordPress plugin, which stores hard\u2011coded credentials. These credentials can be used through the password\u2011reset functionality, allowing an attacker to bypass normal authentication without prior account creation.", "risk_and_exploitability": "Because the vulnerability provides a straightforward authentication bypass, the risk is high. No CVSS or EPSS score is provided, so an exact severity metric is unavailable. The vulnerability is not listed in the CISA KEV catalog, but the presence of hard\u2011coded credentials means exploitation is possible if the attacker reaches the password\u2011reset endpoint."}}}}, "created": "2026-03-25T21:44:03.162501+00:00", "updated": "2026-03-25T21:44:03.162525+00:00", "vendors": []}