CVE-2025-64638
Description
Missing Authorization vulnerability in OnPay.io OnPay.io for WooCommerce onpay-io-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OnPay.io for WooCommerce: from n/a through <= 1.0.47.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in OnPay.io for WooCommerce plugin up to v1.0.47 allows unauthenticated access to restricted functions.
The OnPay.io for WooCommerce plugin for WordPress contains a missing authorization vulnerability (CVE-2025-64638) affecting versions up to and including 1.0.47. The plugin fails to properly enforce access control checks on certain functions or endpoints, allowing users without the required privileges to perform actions intended for higher-level roles.
Exploitation requires only network access to the WordPress site; no authentication is needed. An attacker can leverage this broken access control to manipulate payment-related settings or data, potentially interfering with the WooCommerce checkout process.
The impact could include unauthorized modification of payment gateway configuration, leading to information disclosure or financial disruption. Although the CVSS score (5.3, Medium) reflects a moderate risk, such vulnerabilities are often targeted in mass exploitation campaigns [1].
The vulnerability is remediated in version 1.0.48. Site administrators are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins [1]. If updating is not possible, engage your hosting provider for assistance.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.0.47
- Range: <=1.0.47
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.