CVE-2026-32387

The Checkout for PayPal plugin for WordPress, versions up to and including 1.0.46, suffers from a missing authorization vulnerability. The root cause is the absence of proper access control checks in certain functions, allowing users without adequate privileges to execute actions intended for higher-privileged roles. This is classified as a Broken Access Control issue [1].

Exploitation does not require authentication from an attacker; any unprivileged user or visitor can trigger the vulnerable functionality. The attack surface is broad, as the plugin is widely deployed on WordPress sites. No special network position is required beyond access to the site’s web interface [1].

The impact is that an attacker can bypass intended access controls, potentially performing unauthorized operations within the plugin’s context. While the severity is rated medium (CVSS 5.3), the vulnerability has been noted to be used in mass-exploit campaigns targeting thousands of sites [1].

The vendor has released version 1.0.47 which resolves the issue. Users are advised to update the plugin immediately. Patchstack auto-update can be enabled for vulnerable plugins. If updating is not possible, consult your hosting provider [1].