CVE-2026-45217

Vulnerability

An authentication bypass vulnerability exists in the ThemeHigh Stripe Payment Gateway for WooCommerce plugin for WordPress. Affecting versions from n/a through 5.0.7, the issue allows an attacker to exploit password recovery functionality by using an alternate path or channel, effectively bypassing normal authentication checks [1].

Exploitation

An attacker does not require prior authentication to exploit this vulnerability. By crafting a specially crafted request to the password recovery endpoint, the attacker can trigger an alternate authentication path, allowing them to perform actions normally restricted to higher-privileged users [1]. The attack can be conducted remotely without user interaction.

Impact

Successful exploitation enables an attacker to gain unauthorized access to the WordPress admin account of a site using the vulnerable plugin. This can lead to full site compromise, including data theft, defacement, or further malware distribution [1].

Mitigation

The vulnerability is fixed in version 5.0.8 of the plugin. Users should update immediately. For those unable to update, hosting providers or web developers should be consulted. Patchstack has issued a mitigation rule to block attacks until the update is applied [1].