CVE-2026-3462
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks in the 'upload_csv' and 'process_batch' functions in all versions up to and including 1.8.9. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.
Risk Assessment
The organization is at risk of payment and order data manipulation, which can lead to transaction integrity breaches, loss of customer trust, and potential financial losses.
Recommendation
Immediately update the Frisbii Pay plugin to the latest available version that includes security fixes, and restrict access to administrative functions to trusted users only.
Original NVD description (English source)
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.

