CVE-2025-53295

An unauthenticated remote attacker can access plugin functionality that should be restricted to authorized administrators, such as viewing or managing transactions [CWE-862]. Because no capability check is performed before processing these requests, the attacker simply sends crafted HTTP requests to the affected WordPress endpoints. The CVSS vector confirms the attack requires no authentication and is network-accessible, with a low impact on integrity.

The iCount Payment Gateway plugin for WordPress (versions ≤ 2.0.7) fails to enforce authorization checks on administrative actions accessible through its WooCommerce integration. The plugin's admin panel and transaction management functionality can be invoked without verifying that the requesting user has the required capabilities.

The advisory does not include a published patch. To remediate the vulnerability, the plugin must add WordPress capability checks (e.g., `current_user_can('manage_woocommerce')` or similar) before executing any administrative action. Without such authorization checks, any unauthenticated user can invoke the plugin's restricted functionality.