Medium severity5.3NVD Advisory· Published Dec 9, 2025· Updated Apr 27, 2026

CVE-2025-63023

Description

Missing Authorization vulnerability in Easy Payment Payment Gateway for PayPal on WooCommerce woo-paypal-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway for PayPal on WooCommerce: from n/a through <= 9.0.53.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in Payment Gateway for PayPal on WooCommerce plugin (≤9.0.53) allows attackers to exploit misconfigured access controls, enabling unauthorized actions.

Vulnerability

The plugin suffers from a missing authorization check (broken access control) in its access control security levels. This flaw allows unprivileged users to perform actions that should require higher privileges, potentially leading to unauthorized operations. The issue affects versions from n/a through 9.0.53 [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted requests to the WordPress site. No authentication is required, and the attack can be executed remotely. The vulnerability is known to be used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could allow an attacker to execute actions intended for higher-privileged users, such as modifying plugin settings or accessing sensitive payment data. The CVSS score is 5.3 (Medium), indicating a moderate risk [1].

Mitigation

The vendor has released version 9.0.54 which fixes the issue. Users are strongly advised to update immediately. If auto-update is enabled, Patchstack users can turn it on for vulnerable plugins. No workarounds are explicitly mentioned [1].

References

Broken Access Control in WordPress Payment Gateway for PayPal on WooCommerce Plugin

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Onepay Sri Lanka/onepay-payment-gateway-for-woocommercellm-fuzzy
Range: <=9.0.53

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/woo-paypal-gateway/vulnerability/wordpress-payment-gateway-for-paypal-on-woocommerce-plugin-9-0-52-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000