CVE-2026-3462 in Frisbii Pay Plugin
Summary
by MITRE • 06/27/2026
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
The Frisbii Pay plugin for WordPress presents a critical authorization vulnerability that stems from insufficient capability validation within its core functionality. This weakness affects all versions up to and including 1.8.9, creating a pathway for authenticated attackers who possess Subscriber-level privileges or higher to manipulate sensitive payment data. The vulnerability specifically targets the upload_csv and process_batch functions, which lack proper access controls to verify user permissions before executing data modification operations.
The technical flaw manifests through the absence of capability checks that should validate whether users possess adequate privileges to perform data modification tasks. When authenticated users with Subscriber-level access invoke these functions, they can bypass normal security restrictions that would typically prevent such actions. This design oversight creates a direct vector for privilege escalation and unauthorized data manipulation within the WooCommerce payment processing environment.
The operational impact of this vulnerability extends beyond simple data corruption, as attackers can overwrite critical payment tokens that are essential for transaction processing and customer payment management. Additionally, the vulnerability allows modification of postmeta and order meta records, which contain crucial information about customer orders, payment statuses, and transaction histories. These modifications can lead to financial discrepancies, payment processing failures, and potential fraud scenarios that compromise both merchant operations and customer trust.
From a cybersecurity perspective, this vulnerability aligns with CWE-285, which addresses insufficient authorization in software systems. The flaw represents a clear violation of the principle of least privilege, where users should only have access to functions necessary for their role within the system. The attack vector follows ATT&CK technique T1078.004, which involves legitimate credentials used to gain access to systems, and T1566.001, representing credential harvesting through various means including privilege escalation.
Security mitigations should include immediate implementation of capability checks within the upload_csv and process_batch functions to verify user permissions before allowing data modification operations. Plugin updates must enforce proper authorization controls that validate administrator-level privileges for sensitive payment data operations. Organizations should also implement monitoring solutions to detect unauthorized modifications to payment tokens and meta records, along with regular security audits to identify similar vulnerabilities in other plugins or system components. The remediation process requires thorough code review to ensure all functions handling payment-related data include appropriate access control validation mechanisms.