CVE-2026-49070
Description
Unauthenticated broken access control in Knit Pay <= 9.4.0.0 allows attackers to perform unauthorized actions on WordPress sites.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated broken access control in Knit Pay <= 9.4.0.0 allows attackers to perform unauthorized actions on WordPress sites.
Vulnerability
The Knit Pay WordPress plugin versions up to and including 9.4.0.0 suffer from an unauthenticated broken access control vulnerability [1]. This means that certain functions or endpoints lack proper authorization or nonce checks, allowing anyone to trigger privileged actions without being logged in.
Exploitation
An attacker can exploit this vulnerability by sending specially crafted HTTP requests to a WordPress site running an affected version of the plugin. No authentication or user interaction is required, making the attack easy to execute at scale [1].
Impact
Successful exploitation allows an unauthenticated attacker to perform actions intended for higher-privileged users, such as modifying plugin settings or accessing sensitive data. The CVSS v3 score of 7.5 indicates a high severity [1].
Mitigation
The vulnerability is fixed in version 9.4.0.1 of the Knit Pay plugin. Users are strongly advised to update to this version immediately. No workarounds are available [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= 9.4.0.0+ 1 more
- (no CPE)range: <= 9.4.0.0
- (no CPE)range: <=9.4.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.