CVE-2026-39643

Vulnerability

Details

The Payment Plugins for PayPal WooCommerce plugin for WordPress (pymntpl-paypal-woocommerce) versions up to 2.0.13 suffer from a missing authorization vulnerability [1]. This flaw allows attackers to exploit incorrectly configured access control security levels, enabling unauthorized actions that should require higher privileges.

Attack

Vector

Attackers can exploit this vulnerability remotely without needing authentication. The broken access control issue means that certain functions lack proper checks, allowing unprivileged users or even unauthenticated visitors to execute higher-privileged actions [1]. This vulnerability is particularly dangerous as it can be used in mass-exploit campaigns targeting thousands of websites simultaneously.

Impact

Successful exploitation could allow an attacker to perform unauthorized operations, potentially leading to data exposure, modification, or site compromise. The exact impact depends on which functions are accessible, but the vulnerability has a CVSS v3 score of 5.3 (Medium) [1].

Mitigation

Users should immediately update the plugin to version 2.0.14 or later, which contains the fix [1]. If unable to update, consider consulting with a hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins.