CVE-2026-39650
Received Received - Intake

Missing Authorization in UnitechPay Mobile Money Access Control

Vulnerability report for CVE-2026-39650, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: Patchstack

Description

Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-07-06
AI Q&A
2026-04-08
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
unitech unitechpay to 1.0.2 (inc)
unitech unitechpay From 1.0.0 (inc) to 1.0.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-39650 is a Broken Access Control vulnerability in the WordPress UnitechPay Plugin versions up to and including 1.0.2. It involves missing authorization, authentication, or nonce token checks within certain plugin functions. This flaw allows unauthenticated users to perform actions that normally require higher privileges.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Compliance Impact

The vulnerability involves missing authorization and broken access control, which could potentially allow unauthorized users to perform privileged actions. Such security flaws may lead to unauthorized access to sensitive data or system functions.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance with common data protection regulations by enabling unauthorized data access or manipulation.

Impact Analysis

This vulnerability allows attackers to perform privileged actions without proper authorization, potentially compromising the security of the affected website.

Although the CVSS severity score is 5.3, indicating a low priority threat with limited impact, attackers often exploit such vulnerabilities in mass campaigns targeting many websites indiscriminately.

Immediate mitigation involves updating the affected plugin or seeking assistance from hosting providers or web developers if an update is not feasible.

Detection Guidance

The vulnerability involves missing authorization and authentication checks within certain functions of the UnitechPay WordPress plugin up to version 1.0.2. Detection typically requires reviewing plugin versions and monitoring for unauthorized access attempts.

Since no specific detection commands or network signatures are provided, a practical approach is to check the installed plugin version on your WordPress site to see if it is 1.0.2 or earlier.

  • Use the WordPress admin dashboard or run the command: wp plugin list | grep unitechpay to identify the plugin version.
  • Monitor web server logs for unusual or unauthorized requests targeting UnitechPay plugin endpoints.
Mitigation Strategies

Immediate mitigation involves updating the UnitechPay plugin to a version later than 1.0.2 once a patch is available.

Since no official patch is currently available, users are advised to seek assistance from their hosting provider or web developer to implement temporary access control measures.

Additionally, monitoring and restricting access to the plugin’s functions and endpoints can help reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39650. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart