CVE-2025-62870

The Eupago Gateway For Woocommerce plugin for WordPress contains a missing authorization vulnerability, classified as a broken access control issue [1]. This means that certain functions or endpoints within the plugin do not properly verify user permissions, allowing requests to be processed without the required authentication or authorization checks.

Attackers can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoints without needing any prior authentication. The lack of proper access control checks enables unauthenticated users to perform actions that should be restricted to higher-privileged roles, such as administrators. The reference notes that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of websites [1].

The impact of successful exploitation can include unauthorized modification of plugin settings, access to sensitive data, or other administrative actions, depending on the specific missing authorization. The CVSS v3 base score is 5.3 (Medium), reflecting the potential for partial compromise of confidentiality or integrity [1].

As a mitigation, users should immediately update the Eupago Gateway For Woocommerce plugin to a version newer than 4.7.1, if available. The vendor has likely released a patch to address this issue. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].