CVE-2026-32587

Vulnerability

Overview

The WP EasyPay plugin for WordPress versions up to and including 4.2.11 contains a missing authorization vulnerability. This means that certain functions within the plugin do not properly verify that the user has the required permissions before executing actions. As a result, the plugin suffers from broken access control, allowing users with lower privileges (or even unauthenticated users) to perform actions that should be restricted to higher-privileged roles [1].

Exploitation

Attackers can exploit this vulnerability by sending crafted requests to the vulnerable endpoints. No authentication may be required for some functions, while others might only need a low-privileged account. The vulnerability is particularly concerning because it can be leveraged in mass-exploit campaigns, targeting thousands of websites simultaneously regardless of their size or popularity [1]. The CVSS score of 5.4 (Medium) reflects the potential for unauthorized access to sensitive functionality.

Impact

Successful exploitation could allow an attacker to modify plugin settings, access or alter data, or perform other actions that should be restricted to administrators. The exact impact depends on which specific functions lack authorization checks. While Patchstack notes that the vulnerability has a low severity impact and is unlikely to be exploited, the potential for mass exploitation remains a concern [1].

Mitigation

The vulnerability has been addressed in version 4.2.12 of the WP EasyPay plugin. Users are strongly advised to update to this version or later immediately. For those using Patchstack, enabling auto-update for vulnerable plugins can help ensure timely patching [1]. If updating is not possible, users should consult their hosting provider or web developer for assistance.