CVE-2026-27073
Hard-coded Credentials in Addi Plugin Enables Password Recovery Exploit
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| addi | buy-now-pay-later-addi | to 2.0.4 (inc) |
| patchstack | addi_cuotas_que_se_adaptan_a_ti | to 2.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-27073 allows unauthenticated attackers to gain administrative access to affected websites by exploiting broken authentication in the Addi plugin. This unauthorized access can lead to exposure or manipulation of sensitive data, which may result in non-compliance with common standards and regulations such as GDPR and HIPAA that require protection of personal and sensitive information.
Because the vulnerability enables attackers to bypass authentication controls, it increases the risk of data breaches and unauthorized data processing, both of which are critical compliance concerns under regulations like GDPR and HIPAA.
Immediate mitigation or patching is strongly advised to reduce the risk of exploitation and help maintain compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-27073 is a high-priority Broken Authentication vulnerability affecting the WordPress plugin "Addi β Cuotas que se adaptan a ti" versions up to and including 2.0.4.
The issue arises from the use of hard-coded credentials that allow unauthenticated attackers to exploit password recovery mechanisms.
This flaw enables attackers to perform actions normally restricted to higher-privileged users, potentially gaining administrative access to the affected website.
The vulnerability is categorized under the OWASP Top 10 as A7: Identification and Authentication Failures.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to gain administrative access to your website.
With administrative access, attackers can manipulate website content, steal sensitive data, install malicious code, or disrupt website operations.
Due to the high risk of mass exploitation campaigns targeting many websites, immediate mitigation or resolution is strongly advised to protect your site.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability CVE-2026-27073 affects the WordPress plugin "Addi β Cuotas que se adaptan a ti" versions up to and including 2.0.4 and allows unauthenticated attackers to gain administrative access.
No official patch is currently available for this vulnerability.
Immediate mitigation steps include applying the Patchstack mitigation rule that can block attacks exploiting this flaw until an official patch is released.
Users are also advised to update the plugin as soon as a patch becomes available or seek assistance from their hosting provider or web developer to apply the mitigation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection commands or methods for this vulnerability in the available resources.
However, since the vulnerability affects the WordPress plugin "Addi β Cuotas que se adaptan a ti" versions up to 2.0.4, detection could involve checking the installed plugin version on your WordPress site.
- Use WP-CLI to list installed plugins and their versions: wp plugin list
- Check the plugin version in the WordPress admin dashboard under Plugins.
Additionally, monitoring for unusual authentication attempts or unauthorized administrative access attempts could help detect exploitation attempts.