CVE-2026-39650
Missing Authorization in UnitechPay Mobile Money Access Control
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unitech | unitechpay | to 1.0.2 (inc) |
| unitech | unitechpay | From 1.0.0 (inc) to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39650 is a Broken Access Control vulnerability in the WordPress UnitechPay Plugin versions up to and including 1.0.2. It involves missing authorization, authentication, or nonce token checks within certain plugin functions. This flaw allows unauthenticated users to perform actions that normally require higher privileges.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows attackers to perform privileged actions without proper authorization, potentially compromising the security of the affected website.
Although the CVSS severity score is 5.3, indicating a low priority threat with limited impact, attackers often exploit such vulnerabilities in mass campaigns targeting many websites indiscriminately.
Immediate mitigation involves updating the affected plugin or seeking assistance from hosting providers or web developers if an update is not feasible.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves missing authorization and authentication checks within certain functions of the UnitechPay WordPress plugin up to version 1.0.2. Detection typically requires reviewing plugin versions and monitoring for unauthorized access attempts.
Since no specific detection commands or network signatures are provided, a practical approach is to check the installed plugin version on your WordPress site to see if it is 1.0.2 or earlier.
- Use the WordPress admin dashboard or run the command: wp plugin list | grep unitechpay to identify the plugin version.
- Monitor web server logs for unusual or unauthorized requests targeting UnitechPay plugin endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves missing authorization and broken access control, which could potentially allow unauthorized users to perform privileged actions. Such security flaws may lead to unauthorized access to sensitive data or system functions.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with common data protection regulations by enabling unauthorized data access or manipulation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the UnitechPay plugin to a version later than 1.0.2 once a patch is available.
Since no official patch is currently available, users are advised to seek assistance from their hosting provider or web developer to implement temporary access control measures.
Additionally, monitoring and restricting access to the pluginβs functions and endpoints can help reduce the risk of exploitation.