CVE-2026-42378

Vulnerability

The WP Full Stripe Free plugin for WordPress versions 8.4.1 and earlier contains a broken authentication vulnerability [1]. This flaw occurs in the plugin's authentication logic, where subscribers (low-privileged users) are able to perform actions that should be restricted to higher-privileged users, such as administrators. The vulnerability is reachable without any special conditions beyond having a subscriber account on the site.

Exploitation

An attacker with a subscriber account can exploit this vulnerability by sending crafted requests to the affected endpoints. The attacker does not need any additional network position or user interaction beyond being logged in as a subscriber. By abusing the missing or improper capability checks, the attacker can execute actions that are normally available only to higher-privileged users.

Impact

Successful exploitation allows the attacker to perform privileged actions, potentially leading to full administrative access to the WordPress website. This could result in complete compromise of the site, including data theft, site defacement, or installation of malicious plugins. The impact is significant due to the low barrier of entry (a subscriber account) and the high privilege escalation.

Mitigation

The vulnerability is fixed in version 8.4.2, released on an unknown date but available for immediate update [1]. Users are strongly advised to update to version 8.4.2 or later. For those unable to update immediately, Patchstack offers a mitigation rule that blocks attacks until the update is applied [1]. No other workarounds are documented in the available reference.