CVE-2026-42763

Vulnerability

The SePay Gateway plugin for WordPress versions from n/a through 1.1.20 contains a missing authorization vulnerability. This flaw allows an attacker to retrieve embedded sensitive data, such as API keys or credentials, that are normally not accessible to regular users. The vulnerability exists in an endpoint or functionality that fails to enforce proper access controls. [1]

Exploitation

An attacker can exploit this vulnerability without any authentication or user interaction. By sending a crafted request to the vulnerable endpoint, the attacker can retrieve the sensitive data. The attack requires only network access to the WordPress site. [1]

Impact

Successful exploitation results in the exposure of sensitive data embedded in the plugin. This information could be used to compromise the site further or gain unauthorized access to external services. The CVSS v3 score is 6.5 (Medium), indicating a significant risk of information disclosure. [1]

Mitigation

The recommended mitigation is to update the SePay Gateway plugin to the latest version (1.1.21 or later) as soon as possible. If an immediate update is not possible, users should contact their hosting provider or web developer for assistance. No other workarounds are documented in the available reference. [1]