CVE-2026-1833
Unauthorized Access in WaMate Confirm Plugin Allows Privilege Abuse
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wamate | confirm_order_confirmation | to 2.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to phone number blocking and unblocking functions within the WaMate Confirm β Order Confirmation WordPress plugin. Detection would focus on identifying unauthorized attempts to block or unblock phone numbers by users with subscriber-level access or above.'}, {'type': 'paragraph', 'content': 'Since the plugin operates within WordPress and uses admin interface capabilities, monitoring WordPress user actions and logs related to phone number blocking/unblocking is recommended.'}, {'type': 'paragraph', 'content': 'Suggested detection methods include:'}, {'type': 'list_item', 'content': 'Review WordPress user roles and capabilities to identify if subscriber-level users are performing actions restricted to administrators.'}, {'type': 'list_item', 'content': "Check the plugin's blocked numbers list and logs for unexpected changes or unblock attempts."}, {'type': 'list_item', 'content': "Use WordPress audit logging plugins or enable logging to capture user actions related to the WaMate plugin's phone blocker feature."}, {'type': 'list_item', 'content': "On the server, monitor HTTP requests to the plugin's endpoints that handle phone blocking/unblocking for suspicious activity from non-admin users."}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but examples include:'}, {'type': 'list_item', 'content': 'Using WP-CLI to list users and their roles: `wp user list --role=subscriber`'}, {'type': 'list_item', 'content': 'Checking recent changes in the WordPress database table that stores blocked numbers (likely in options or custom tables) via SQL queries.'}, {'type': 'list_item', 'content': "Using server logs to grep for requests to plugin-related URLs, e.g., `grep 'wamate-confirm' /var/log/apache2/access.log`"}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "To mitigate this vulnerability, immediate steps include restricting access to the plugin's phone blocking and unblocking features to administrators only."}, {'type': 'paragraph', 'content': 'Since the vulnerability allows subscriber-level users to perform actions reserved for administrators, ensure that user roles and capabilities are correctly configured and enforced.'}, {'type': 'paragraph', 'content': 'Additional mitigation steps:'}, {'type': 'list_item', 'content': 'Update the WaMate Confirm plugin to a version later than 2.0.1 where this vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Temporarily disable the phone blocker feature if possible until an update is applied.'}, {'type': 'list_item', 'content': 'Audit and limit subscriber-level user accounts to only trusted users.'}, {'type': 'list_item', 'content': 'Implement monitoring and alerting for changes to blocked phone numbers.'}, {'type': 'list_item', 'content': 'Apply WordPress security best practices such as strong passwords, two-factor authentication, and least privilege principles.'}] [1]
Can you explain this vulnerability to me?
The WaMate Confirm β Order Confirmation plugin for WordPress has a vulnerability in all versions up to and including 2.0.1 where it does not properly verify if a user is authorized to perform certain actions.
This flaw allows authenticated users with subscriber-level access or higher to block and unblock phone numbers, actions that should be restricted only to administrators.
How can this vulnerability impact me? :
Because the plugin allows unauthorized users to block or unblock phone numbers, an attacker with subscriber-level access could disrupt legitimate customers by blocking their phone numbers from placing orders.
This could lead to denial of service for certain users, impacting business operations and customer experience.
The CVSS score of 5.3 indicates a medium severity impact, specifically causing integrity loss without affecting confidentiality or availability.