High severity7.5NVD Advisory· Published May 25, 2026

CVE-2026-45209

Description

Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects MyCryptoCheckout: from n/a through 2.161.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in MyCryptoCheckout plugin up to 2.161 allows unprivileged attackers to execute higher-privileged actions, leading to potential site compromise.

Vulnerability

The MyCryptoCheckout WordPress plugin versions 2.161 and earlier contain a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing users with low privileges to perform actions that should require higher privileges. This is classified as a broken access control issue [1].

Exploitation

An attacker with an unprivileged account (e.g., subscriber) can exploit this by sending crafted HTTP requests to the vulnerable endpoints. No additional authentication or special network position is required beyond being a registered user of the WordPress site. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of sites [1].

Impact

Successful exploitation allows the attacker to execute higher-privileged actions, potentially leading to unauthorized modification of plugin settings, access to sensitive data, or full administrative control of the WordPress site. The vulnerability is considered highly dangerous due to its ease of exploitation and widespread impact [1].

Mitigation

The vulnerability is fixed in version 2.162 of the plugin. Users should update immediately. If updating is not possible, Patchstack provides a mitigation rule to block attacks until the update can be applied. The plugin is actively targeted in mass-exploit campaigns [1].

References

Broken Access Control in WordPress MyCryptoCheckout Plugin

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Mycryptocheckoutinferred2 versions
<=2.161+ 1 more
- (no CPE)range: <=2.161
- (no CPE)range: <=2.161
Package: https://wordpress.org/plugins/mycryptocheckout

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/wordpress/plugin/mycryptocheckout/vulnerability/wordpress-mycryptocheckout-plugin-2-161-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000