CVE-2026-3461
Received Received - Intake
Authentication Bypass in Visa Acceptance Solutions Plugin Enables Account Takeover

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description
The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` function logging users in based solely on a user-supplied billing email address during guest checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by providing the target user's email address in the billing_details parameter, resulting in complete account takeover and site compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3461
EUVD
EUVD-2026-22853
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
visa acceptance_solutions_plugin to 2.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to take over any user account, including administrators, by bypassing authentication controls. This results in complete site compromise.

Such a compromise can lead to unauthorized access to personal and sensitive data, which may violate data protection regulations like GDPR and HIPAA that require strict access controls and protection of user data.

Therefore, this vulnerability poses a significant risk to compliance with standards that mandate secure authentication and data protection.

Executive Summary

The Visa Acceptance Solutions plugin for WordPress has an authentication bypass vulnerability in all versions up to and including 2.1.0. This occurs because the function express_pay_product_page_pay_for_order() logs users in based only on a user-supplied billing email address during guest checkout for subscription products. It does not verify ownership of the email, require a password, or validate a one-time token.

As a result, an unauthenticated attacker can log in as any existing user, including administrators, simply by providing the target user's email address in the billing_details parameter.

This leads to complete account takeover and site compromise.

Impact Analysis

This vulnerability allows an attacker to bypass authentication and gain unauthorized access to any user account on the affected WordPress site, including administrator accounts.

The attacker can take over accounts completely, which can lead to full site compromise.

Such access can result in unauthorized changes, data theft, deletion, or other malicious activities that severely impact the security and integrity of the website.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart