CVE-2026-4663
Received Received - Intake
Missing Authorization in iPOSpays Gateways WC WordPress Plugin

Publication date: 2026-05-12

Last updated on: 2026-05-18

Assigner: Wordfence

Description
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39608. Reason: This candidate is a reservation duplicate of CVE-2026-39608. Notes: All CVE users should reference CVE-2026-39608 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-18
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-4663
EUVD
EUVD-2026-29394
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ipospays gateways_wc_plugin to 1.3.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The iPOSpays Gateways WC plugin for WordPress has a vulnerability called Missing Authorization in versions up to and including 1.3.7. This happens because the plugin exposes a REST API endpoint (/wp-json/ipospays/v1/save_settings) that allows unauthenticated access without any permission checks or nonce verification.

As a result, attackers who are not logged in can update the plugin settings, including overwriting critical payment gateway settings such as live API keys, secret keys, and payment tokens.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify sensitive payment gateway settings in the plugin. They can overwrite live API keys, secret keys, and payment tokens, which could lead to unauthorized transactions, financial fraud, or disruption of payment processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart