CVE-2026-1710
Received Received - Intake
Unauthorized Settings Modification in WooPayments via Missing Capability Check

Publication date: 2026-03-31

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1710
EUVD
EUVD-2026-17315
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
woocommerce woocommerce_payments to 10.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WooPayments: Integrated WooCommerce Payments plugin for WordPress has a vulnerability due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to and including 10.5.1.

This flaw allows unauthenticated attackers to modify plugin settings by updating data without proper authorization.

Impact Analysis

Because the vulnerability allows unauthenticated attackers to update plugin settings, it can lead to unauthorized modification of payment gateway configurations.

This could disrupt payment processing, potentially causing financial loss, service interruption, or manipulation of payment options.

The CVSS score of 6.5 indicates a medium severity impact with low attack complexity and no required privileges or user interaction.

Detection Guidance

The vulnerability involves unauthorized modification of WooPayments plugin settings via the 'save_upe_appearance_ajax' function due to a missing capability check. Detection would involve monitoring for unauthorized AJAX requests targeting this function or unexpected changes in plugin settings.

Specific commands or network detection methods are not provided in the available resources.

Mitigation Strategies

The vulnerability is fixed in version 10.6.0 of the WooPayments plugin, which includes multiple security and functionality improvements addressing this issue.

Immediate mitigation steps include updating the WooPayments plugin to version 10.6.0 or later to ensure the missing capability check is implemented and unauthorized modifications are prevented.

Compliance Impact

The vulnerability in WooPayments allows unauthenticated attackers to modify plugin settings due to a missing capability check. This unauthorized modification could potentially lead to misconfiguration of payment processing settings.

However, there is no explicit information in the provided context or resources about direct impacts on compliance with standards such as GDPR or HIPAA. The CVE description and resources do not mention data breaches, exposure of personal data, or other compliance-related consequences.

Therefore, while unauthorized modification of payment settings could indirectly affect compliance by altering how payments or data are handled, no direct linkage or assessment regarding compliance with GDPR, HIPAA, or similar regulations is provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1710. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart