{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39650", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:34.227Z", "dateUpdated": "2026-04-09T15:27:30.306Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "unitechpay-paiements-mobile-money", "product": "UnitechPay", "vendor": "Unitech Web", "versions": [{"lessThanOrEqual": "1.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ngo Bui Truong Vu | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:39.095Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects UnitechPay: from n/a through <= 1.0.2.</p>"}], "value": "Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:34.227Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/unitechpay-paiements-mobile-money/vulnerability/wordpress-unitechpay-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress UnitechPay plugin <= 1.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:27:24.526708Z", "id": "CVE-2026-39650", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:27:30.306Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39650", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:27:24.526708Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:26:38.513Z"}}], "cna": {"title": "WordPress UnitechPay plugin <= 1.0.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Ngo Bui Truong Vu | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Unitech Web", "product": "UnitechPay", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.2"}], "packageName": "unitechpay-paiements-mobile-money", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:39.095Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/unitechpay-paiements-mobile-money/vulnerability/wordpress-unitechpay-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects UnitechPay: from n/a through <= 1.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:34.227Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39650", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:27:30.306Z", "dateReserved": "2026-04-07T10:57:48.107Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:34.227Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2."}], "id": "CVE-2026-39650", "lastModified": "2026-04-09T16:16:29.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:36.020", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/unitechpay-paiements-mobile-money/vulnerability/wordpress-unitechpay-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UnitechPay", "source": "cna", "vendor": "Unitech Web"}, "product": "unitechpay", "vendor": "unitech_web"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:05:49.278152+00:00", "value": {"mitigation_remediation": ["Update the UnitechPay plugin to the latest available version, removing the missing authorization flaw.", "If an upgrade is not immediately possible, disable the vulnerable plugin from the WordPress backend to prevent exploitation.", "Review and enforce proper role\u2011based access controls on any remaining payment features in the site.", "Audit server logs for unusual activity related to the plugin and monitor for repeated failed or successful unauthorized requests.", "Implement web application firewall rules to block known malicious payloads targeting the plugin\u2019s endpoints."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The flaw affects the UnitechPay plugin from Unitech Web, specifically versions 1.0.2 and earlier. Sites that have installed any of these versions are susceptible. The plugin runs within a WordPress installation, so any WordPress site hosting the vulnerable version of the plugin is impacted.", "description_and_impact": "This vulnerability is a missing authorization flaw that allows an attacker to bypass access controls in the UnitechPay plugin for WordPress. Without proper permission checks, a user can invoke privileged plugin functions or alter payment settings, potentially exposing sensitive financial data or modifying transaction configurations. The flaw falls under the missing authorization weakness, enabling unauthorized users to gain actions normally restricted to privileged users, thereby compromising confidentiality and integrity of payment operations.", "risk_and_exploitability": "The risk is substantial because the vulnerable functions are exposed through the web interface and can be accessed without authentication. No public exploit has been documented, but the absence of a valid EPSS score and KEV listing does not reduce the theoretical likelihood of exploitation, especially on high\u2011traffic sites. Attackers could exploit this weakness remotely by sending crafted requests to the plugin\u2019s endpoints, bypassing all authorization checks and achieving unauthorized access to administrative features."}}}}, "created": "2026-04-08T19:28:21.779463+00:00", "updated": "2026-04-08T19:41:25.653545+00:00", "vendors": ["unitech_web", "unitech_web$PRODUCT$unitechpay", "wordpress", "wordpress$PRODUCT$wordpress"]}