CVE-2026-39650
Received Received - Intake
Missing Authorization in UnitechPay Mobile Money Access Control

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39650
EUVD
EUVD-2026-20316
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unitech unitechpay to 1.0.2 (inc)
unitech unitechpay From 1.0.0 (inc) to 1.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39650 is a Broken Access Control vulnerability in the WordPress UnitechPay Plugin versions up to and including 1.0.2. It involves missing authorization, authentication, or nonce token checks within certain plugin functions. This flaw allows unauthenticated users to perform actions that normally require higher privileges.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability allows attackers to perform privileged actions without proper authorization, potentially compromising the security of the affected website.

Although the CVSS severity score is 5.3, indicating a low priority threat with limited impact, attackers often exploit such vulnerabilities in mass campaigns targeting many websites indiscriminately.

Immediate mitigation involves updating the affected plugin or seeking assistance from hosting providers or web developers if an update is not feasible.

Detection Guidance

The vulnerability involves missing authorization and authentication checks within certain functions of the UnitechPay WordPress plugin up to version 1.0.2. Detection typically requires reviewing plugin versions and monitoring for unauthorized access attempts.

Since no specific detection commands or network signatures are provided, a practical approach is to check the installed plugin version on your WordPress site to see if it is 1.0.2 or earlier.

  • Use the WordPress admin dashboard or run the command: wp plugin list | grep unitechpay to identify the plugin version.
  • Monitor web server logs for unusual or unauthorized requests targeting UnitechPay plugin endpoints.
Mitigation Strategies

Immediate mitigation involves updating the UnitechPay plugin to a version later than 1.0.2 once a patch is available.

Since no official patch is currently available, users are advised to seek assistance from their hosting provider or web developer to implement temporary access control measures.

Additionally, monitoring and restricting access to the plugin’s functions and endpoints can help reduce the risk of exploitation.

Compliance Impact

The vulnerability involves missing authorization and broken access control, which could potentially allow unauthorized users to perform privileged actions. Such security flaws may lead to unauthorized access to sensitive data or system functions.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance with common data protection regulations by enabling unauthorized data access or manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39650. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart