{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39609", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:23.375Z", "dateUpdated": "2026-04-10T16:30:16.671Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wava-payment", "product": "Wava Payment", "vendor": "Wava.co", "versions": [{"lessThanOrEqual": "0.3.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.643Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Wava Payment: from n/a through <= 0.3.7.</p>"}], "value": "Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.375Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wava-payment/vulnerability/wordpress-wava-payment-plugin-0-3-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Wava Payment plugin <= 0.3.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:29:48.624270Z", "id": "CVE-2026-39609", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:30:16.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T16:29:48.624270Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:29:36.462Z"}}], "cna": {"title": "WordPress Wava Payment plugin <= 0.3.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Wava.co", "product": "Wava Payment", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.3.7"}], "packageName": "wava-payment", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:33.643Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wava-payment/vulnerability/wordpress-wava-payment-plugin-0-3-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Wava Payment: from n/a through <= 0.3.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.375Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39609", "state": "PUBLISHED", "dateUpdated": "2026-04-10T16:30:16.671Z", "dateReserved": "2026-04-07T10:48:55.140Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:23.375Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7."}], "id": "CVE-2026-39609", "lastModified": "2026-04-10T17:17:11.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:30.303", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wava-payment/vulnerability/wordpress-wava-payment-plugin-0-3-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.3.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Wava Payment", "source": "cna", "vendor": "Wava.co"}, "product": "wava_payment", "vendor": "wava.co"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:43:22.769081+00:00", "value": {"mitigation_remediation": ["Update the Wava Payment plugin to the latest available version.", "If an update is not immediately available, restrict access to the plugin\u2019s administrative pages by applying server\u2011side access controls or using a security plugin.", "Verify that all plugin files are properly protected and monitor logs for unauthorized changes."], "summary": {"action": "Patch", "impact": "Unauthorized access via broken access control"}, "threat_synthesis": {"affected_systems": "The plugin is distributed by Wava.co under the name Wava Payment. Versions from the earliest released up through 0.3.7 are affected. Administrators should verify the version of the plugin installed on each WordPress site and treat any instance older than 0.4.0 as vulnerable.", "description_and_impact": "The Wava Payment plugin for WordPress contains a missing authorization flaw that permits unauthenticated or improperly authenticated users to perform actions that should be restricted to privileged administrators. This broken access control can lead to data exposure, unauthorized configuration changes, or other compromises depending on the features exposed by the plugin.", "risk_and_exploitability": "The CVSS score is not publicly disclosed; EPSS is unavailable and the submission is not listed in the CISA KEV catalog, suggesting the risk is not currently prioritized. Nonetheless, the vulnerability allows an attacker who can reach the WordPress interface to bypass standard access controls. The attack vector is likely remote via web requests to the plugin's endpoints, and no elevated privileges are required beyond basic web access."}}}}, "created": "2026-04-08T19:29:51.153509+00:00", "updated": "2026-04-08T19:42:08.503370+00:00", "vendors": ["wava.co", "wava.co$PRODUCT$wava_payment", "wordpress", "wordpress$PRODUCT$wordpress"]}