CVE-2026-40741

Vulnerability

The Redys for WooCommerce Light plugin for WordPress versions up to and including 7.0.0 is vulnerable to a broken access control issue [1]. This flaw occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, allowing unauthenticated users to execute higher-privileged actions [1]. The affected versions are all releases prior to 7.0.1 [1].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication [1]. No special network position is required; the attacker only needs to send crafted HTTP requests to the WordPress site running the vulnerable plugin. The lack of a nonce token or authorization check means the attacker can directly call the affected functions without user interaction [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform actions that should require higher privileges, such as modifying plugin settings or accessing sensitive data [1]. The vulnerability has a CVSS v3 base score of 7.5 (High), indicating a significant risk of confidentiality, integrity, or availability compromise [1]. The attacker does not gain full admin-level control but can bypass access controls to execute unauthorized operations [1].

Mitigation

The fixed version is 7.0.1, released on or before the publication date of 2026-06-15 [1]. Users should update to version 7.0.1 or later immediately [1]. Patchstack users can enable auto-updates for vulnerable plugins [1]. For those unable to update, it is recommended to consult a hosting provider or web developer for assistance. No workaround is provided in the available references [1].