CVE-2026-1710
Unauthorized Settings Modification in WooPayments via Missing Capability Check
Publication date: 2026-03-31
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | woocommerce_payments | to 10.5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WooPayments: Integrated WooCommerce Payments plugin for WordPress has a vulnerability due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to and including 10.5.1.
This flaw allows unauthenticated attackers to modify plugin settings by updating data without proper authorization.
How can this vulnerability impact me? :
Because the vulnerability allows unauthenticated attackers to update plugin settings, it can lead to unauthorized modification of payment gateway configurations.
This could disrupt payment processing, potentially causing financial loss, service interruption, or manipulation of payment options.
The CVSS score of 6.5 indicates a medium severity impact with low attack complexity and no required privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves unauthorized modification of WooPayments plugin settings via the 'save_upe_appearance_ajax' function due to a missing capability check. Detection would involve monitoring for unauthorized AJAX requests targeting this function or unexpected changes in plugin settings.
Specific commands or network detection methods are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in version 10.6.0 of the WooPayments plugin, which includes multiple security and functionality improvements addressing this issue.
Immediate mitigation steps include updating the WooPayments plugin to version 10.6.0 or later to ensure the missing capability check is implemented and unauthorized modifications are prevented.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in WooPayments allows unauthenticated attackers to modify plugin settings due to a missing capability check. This unauthorized modification could potentially lead to misconfiguration of payment processing settings.
However, there is no explicit information in the provided context or resources about direct impacts on compliance with standards such as GDPR or HIPAA. The CVE description and resources do not mention data breaches, exposure of personal data, or other compliance-related consequences.
Therefore, while unauthorized modification of payment settings could indirectly affect compliance by altering how payments or data are handled, no direct linkage or assessment regarding compliance with GDPR, HIPAA, or similar regulations is provided.