{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39608", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:23.084Z", "dateUpdated": "2026-04-08T08:30:23.084Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ipospays-gateways-wc", "product": "iPOSpays Gateways WC", "vendor": "iPOSPays", "versions": [{"lessThanOrEqual": "1.3.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.478Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7.</p>"}], "value": "Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.084Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ipospays-gateways-wc/vulnerability/wordpress-ipospays-gateways-wc-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress iPOSpays Gateways WC plugin <= 1.3.7 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7."}], "id": "CVE-2026-39608", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:30.170", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ipospays-gateways-wc/vulnerability/wordpress-ipospays-gateways-wc-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.3.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "iPOSpays Gateways WC", "source": "cna", "vendor": "iPOSPays"}, "product": "ipospays_gateways_wc", "vendor": "ipospays"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:43:38.539383+00:00", "value": {"mitigation_remediation": ["Upgrade the iPOSpays Gateways WC plugin to version 1.3.8 or later."], "summary": {"action": "Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The affected system is the iPOSpays Gateways WC plugin for WordPress, specifically all releases from the earliest available version up to and including 1.3.7. No further version granularity is supplied in the listed data. Users running any of these versions are potentially exposed until a remediation applied.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows attackers to bypass normal access controls when interacting with the iPOSpays Gateways WC plugin. An attacker can exploit the incorrectly configured security levels to perform actions that should be restricted, potentially exposing sensitive data or modifying configurations without proper permission. This weakness is categorized as a broken access control (CWE\u2011862) and can undermine the confidentiality, integrity, and availability of the WordPress installation. The description states only that authorization checks are missing; no additional exploitation details are provided.", "risk_and_exploitability": "The CVSS score is not disclosed in the provided material, and the EPSS score is unavailable, leaving the precise likelihood of exploitation unclear. However, the nature of an unauthenticated or improperly authenticated access control flaw suggests a high potential impact if an attacker can obtain or assume privileges within the WordPress environment. The vulnerability is not yet noted in the CISA KEV catalog. The likely attack vector is through the web interface of the plugin, where an attacker may exploit the lack of authorization checks via crafted requests or by creating a user account that achieves elevated privileges. The risk remains significant until the plugin is updated to a version that resolves the issue."}}}}, "created": "2026-04-08T19:29:52.229831+00:00", "updated": "2026-04-08T19:42:09.676967+00:00", "vendors": ["ipospays", "ipospays$PRODUCT$ipospays_gateways_wc", "wordpress", "wordpress$PRODUCT$wordpress"]}