CVE-2026-6372
Missing Authorization in Plisio Accept Cryptocurrencies Enables Access Bypass
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | accept_cryptocurrencies_with_plisio | From 2.0.0 (inc) to 2.0.5 (inc) |
| plisio | accept_cryptocurrencies | to 2.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6372 is a Missing Authorization vulnerability in the WordPress plugin "Accept Cryptocurrencies with Plisio" versions up to 2.0.5. It is a Broken Access Control issue where missing authorization, authentication, or nonce token checks allow unauthenticated users to perform actions that should be restricted to higher privileged users.
This means that attackers can exploit incorrectly configured access control security levels to bypass payment restrictions without needing any privileges.
How can this vulnerability impact me? :
The vulnerability allows unauthenticated users to bypass payment restrictions, potentially enabling unauthorized actions within the plugin.
Although the CVSS score is 7.5 indicating moderate severity, the impact is considered low and exploitation is unlikely according to Patchstack.
However, the vulnerability enables mass exploitation campaigns targeting many websites regardless of their traffic or popularity, which could lead to unauthorized transactions or manipulation of payment processes.
No official patch is available as of the publication date, so immediate mitigation involves updating the plugin if possible or seeking assistance from hosting providers or developers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the plugin if possible or seeking assistance from hosting providers or developers.
Since no official patch is available as of the publication date, contacting your hosting provider or developer for custom mitigation or applying security controls to restrict unauthorized access is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Missing Authorization issue classified as Broken Access Control, allowing unauthenticated users to perform actions reserved for higher privileged users.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, broken access control vulnerabilities can potentially lead to unauthorized actions or data manipulation, which may impact compliance with regulations that require strict access controls and data protection.
However, no direct information is provided about specific compliance impacts or breaches related to this vulnerability.