CVE Catalog

CVE-2026-3462

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks in the 'upload_csv' and 'process_batch' functions in all versions up to and including 1.8.9. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.

Risk Assessment

The organization is at risk of payment and order data manipulation, which can lead to transaction integrity breaches, loss of customer trust, and potential financial losses.

Recommendation

Immediately update the Frisbii Pay plugin to the latest available version that includes security fixes, and restrict access to administrative functions to trusted users only.

Original NVD description (English source)

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS