CVE-2025-31022
BaseFortify
Publication date: 2025-06-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a high-severity authentication bypass in the WordPress PayU India plugin (up to version 3.8.5) that allows unauthenticated attackers to perform actions normally restricted to higher-privileged users. Essentially, attackers can gain administrative access to the affected website by exploiting broken authentication mechanisms, classified under OWASP Top 10 category A7: Identification and Authentication Failures. [1]
How can this vulnerability impact me? :
The vulnerability can lead to account takeover and unauthorized administrative access to your website, allowing attackers to perform any actions that an admin user can. This can result in data breaches, site defacement, unauthorized transactions, or complete control over the affected system. Since no official patch is available, sites remain at high risk of mass exploitation unless mitigated by virtual patches or other protective measures. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no official patch or fixed version is currently available for the PayU India plugin up to version 3.8.5, immediate mitigation involves applying the virtual patch (vPatch) provided by Patchstack to block attacks exploiting this vulnerability. Additionally, users should seek professional incident response if their sites have been compromised. Automated virtual patching is recommended as the fastest protection method until an official fix is released. [1]