CVE-2026-12738 in WP Easy Pay Plugin
Summary
by MITRE • 07/11/2026
The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to 'draft', effectively unpublishing arbitrary site content.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The WP Easy Pay plugin for WordPress presents a critical authorization bypass vulnerability that affects all versions up to and including 450. This security flaw resides in the plugin's insufficient verification mechanisms for user permissions during administrative operations. The vulnerability specifically impacts the plugin's ability to validate whether authenticated users possess appropriate authorization levels before executing sensitive actions. Attackers with subscriber-level privileges or higher can exploit this weakness to manipulate content status, effectively undermining the site's content management controls.
The technical implementation of this vulnerability stems from inadequate input validation and permission checking within the plugin's administrative interfaces. When users attempt to modify post statuses through the plugin's functionality, the system fails to properly authenticate the user's authorization level for such actions. This represents a classic authorization bypass flaw that aligns with CWE-862, which defines insufficient authorization as a critical weakness in software systems. The vulnerability allows attackers to leverage their existing subscriber permissions to execute unauthorized administrative functions.
The operational impact of this vulnerability extends beyond simple content manipulation, as it provides attackers with the capability to unpublish arbitrary site content by setting posts and pages to draft status. This effectively removes content from public visibility without proper authorization, potentially causing significant disruption to website operations. The attack vector is particularly concerning because it requires only subscriber-level access, making it accessible to users who should normally lack administrative capabilities. This weakness creates a pathway for both accidental and malicious content removal that could compromise site integrity.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the authorization bypass issue. Administrators must ensure they are running patched versions of the WP Easy Pay plugin as soon as available. Additionally, implementing role-based access controls and monitoring user activities can help detect unauthorized attempts to modify content status. Security practitioners should consider applying the principle of least privilege by restricting subscriber-level permissions where possible. The vulnerability demonstrates the importance of proper authorization checks in web applications and aligns with ATT&CK technique T1078 which addresses valid accounts and privilege escalation through unauthorized access to administrative functions. Organizations should also conduct regular security audits of third-party plugins to identify similar authorization bypass vulnerabilities that could compromise their WordPress installations.