CVE-2026-4663
Missing Authorization in iPOSpays Gateways WC WordPress Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ipospays | gateways_wc_plugin | to 1.3.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The iPOSpays Gateways WC plugin for WordPress has a vulnerability called Missing Authorization in versions up to and including 1.3.7. This happens because the plugin exposes a REST API endpoint (/wp-json/ipospays/v1/save_settings) that allows unauthenticated access without any permission checks or nonce verification.
As a result, attackers who are not logged in can update the plugin settings, including overwriting critical payment gateway settings such as live API keys, secret keys, and payment tokens.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify sensitive payment gateway settings in the plugin. They can overwrite live API keys, secret keys, and payment tokens, which could lead to unauthorized transactions, financial fraud, or disruption of payment processing.