{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32587", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:57.709Z", "datePublished": "2026-03-16T15:30:04.835Z", "dateUpdated": "2026-04-01T16:00:46.058Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-easy-pay", "product": "WP EasyPay", "vendor": "Saad Iqbal", "versions": [{"changes": [{"at": "4.2.12", "status": "unaffected"}], "lessThanOrEqual": "4.2.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:43:34.906Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP EasyPay: from n/a through <= 4.2.11.</p>"}], "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through <= 4.2.11."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:46.058Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-2-11-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP EasyPay plugin <= 4.2.11 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:50:04.237089Z", "id": "CVE-2026-32587", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:50:18.350Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32587", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T15:50:04.237089Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:50:08.152Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress WP EasyPay plugin <= 4.2.11 - Broken Access Control vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Saad Iqbal", "product": "WP EasyPay", "versions": [{"status": "affected", "changes": [{"at": "4.2.12", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "4.2.11"}], "packageName": "wp-easy-pay", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress WP EasyPay Plugin to the latest available version (at least 4.2.12).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress WP EasyPay Plugin to the latest available version (at least 4.2.12).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-2-11-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through 4.2.11.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP EasyPay: from n/a through 4.2.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-16T15:30:04.835Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32587", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:50:18.350Z", "dateReserved": "2026-03-12T11:12:57.709Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-16T15:30:04.835Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through <= 4.2.11."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Saad Iqbal WP EasyPay permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP EasyPay: desde n/a hasta 4.2.11."}], "id": "CVE-2026-32587", "lastModified": "2026-04-01T17:28:39.377", "metrics": {}, "published": "2026-03-16T16:16:15.740", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-2-11-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP EasyPay", "source": "cna", "vendor": "Saad Iqbal"}, "product": "wp_easypay", "vendor": "saad_iqbal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T03:39:50.588144+00:00", "value": {"mitigation_remediation": ["Upgrade the WP EasyPay plugin to the latest version available.", "If an upgrade is not immediately possible, temporarily disable the plugin until a patch is applied."], "summary": {"action": "Patch Now", "impact": "Unauthorized access via broken access control"}, "threat_synthesis": {"affected_systems": "The affected system is the WordPress plugin WP EasyPay published by Saad Iqbal, specifically versions up to and including 4.2.11.", "description_and_impact": "The vulnerability is a missing authorization check in the WP EasyPay plugin for WordPress, allowing an attacker to access or perform actions that should be restricted. It manifests as broken access control, a weakness identified as CWE\u2011862. This flaw means that users who should not have permission could potentially gain elevated privileges within the plugin environment, compromising the confidentiality or integrity of transactions handled by the plugin.", "risk_and_exploitability": "The available metrics indicate an EPSS score of less than 1\u202f% and no listing in the CISA KEV catalog, suggesting a relatively low likelihood of widespread exploitation. However, the attack vector is not explicitly stated; based on the plugin nature, the likely exploitation path is via the WordPress web interface. The lack of a CVSS score means the exact severity is uncertain, but the potential impact of unauthorized actions within the plugin warrants timely remediation."}}}}, "created": "2026-03-17T09:52:39.534407+00:00", "updated": "2026-04-02T08:00:08.735924+00:00", "vendors": ["saad_iqbal", "saad_iqbal$PRODUCT$wp_easypay", "wordpress", "wordpress$PRODUCT$wordpress"]}