CVE-2025-63015

Vulnerability

Overview

The WooCommerce Payment Gateway - Paysera plugin for WordPress (versions up to and including 3.10.0) contains a missing authorization vulnerability. This broken access control issue stems from incorrectly configured access control security levels that are incorrectly configured, allowing unprivileged users to execute higher-privileged actions without proper authentication [1].

Exploitation

Exploitation

Conditions

Attackers can exploit this vulnerability without needing any prior authentication or special network position. The flaw is particularly concerning aspect is that this type of vulnerability is frequently used in mass-exploit campaigns, where attackers target thousands of websites simultaneously regardless of site traffic or popularity [1].

Impact

Successful exploitation enables an attacker to perform actions that should require higher privileges, potentially leading to unauthorized configuration changes or data access within the affected WordPress installation. The CVSS v3 score of 4.3 (Medium) reflects the moderate severity, though the ease of exploitation and potential for automated attacks increases the practical risk [1]. /a].

Mitigation

The vulnerability has been addressed in version 3.11.0 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].