All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-3462
MEDIUMpublished 2026-06-27 08:16 UTC · 1 day ago
6.5
CVSS / 10
// description
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
// weaknesses (CWE)
- CWE-862
// references (5)
- https://plugins.trac.wordpress.org/browser/reepay-checkout-gateway/trunk/includes/Admin/MigrationMobilepayToVipps.php#L129
- https://plugins.trac.wordpress.org/browser/reepay-checkout-gateway/trunk/includes/Admin/MigrationMobilepayToVipps.php#L170
- https://plugins.trac.wordpress.org/browser/reepay-checkout-gateway/trunk/includes/Admin/MigrationMobilepayToVipps.php#L42
- https://plugins.trac.wordpress.org/changeset/3485246/