CVE-2026-39650

Vulnerability

Overview

The UnitechPay plugin for WordPress (versions up to and including 1.0.2) suffers from a missing authorization vulnerability [1]. The root cause is an incorrectly configured access control that does not properly check user permissions or nonce tokens before allowing access to sensitive functions. This flaw falls under the category of broken access control, where security levels are incorrectly configured [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication or special privileges. The attack vector is over the network, and the lack of proper access control checks means that unprivileged users or even unauthenticated visitors can trigger the vulnerable functions [1]. No user interaction is required to exploit this issue.

Impact

Successful exploitation could allow an attacker to perform actions that should be restricted to higher-privileged roles, such as modifying plugin settings or accessing sensitive data or accessing protected features. While the CVSS score (5.3) indicates medium severity, this vulnerability is especially concerning because it can be used in mass-exploit campaigns against thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version at the time of disclosure. Users are strongly advised to update the plugin as soon as a patch becomes available. If an immediate update is not possible, it is recommended to disable the plugin or seek assistance from a hosting provider or web developer [1].