{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24583", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:07.880Z", "datePublished": "2026-01-23T14:28:59.442Z", "dateUpdated": "2026-04-28T16:14:49.751Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sumup-payment-gateway-for-woocommerce", "product": "SumUp Payment Gateway For WooCommerce", "vendor": "sumup", "versions": [{"changes": [{"at": "2.7.10", "status": "unaffected"}], "lessThanOrEqual": "2.7.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:53.864Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9.</p>"}], "value": "Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.751Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress SumUp Payment Gateway For WooCommerce plugin <= 2.7.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:22:19.151536Z", "id": "CVE-2026-24583", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:30:54.534Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24583", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:22:19.151536Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:22:12.245Z"}}], "cna": {"title": "WordPress SumUp Payment Gateway For WooCommerce plugin <= 2.7.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "sumup", "product": "SumUp Payment Gateway For WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "2.7.10", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.7.9"}], "packageName": "sumup-payment-gateway-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:53.864Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.655Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24583", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:30:54.534Z", "dateReserved": "2026-01-23T12:32:07.880Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:59.442Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en sumup SumUp Payment Gateway para WooCommerce sumup-payment-gateway-for-woocommerce permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a SumUp Payment Gateway para WooCommerce: desde n/a hasta &lt;= 2.7.9."}], "id": "CVE-2026-24583", "lastModified": "2026-04-28T15:16:16.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:16.200", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:38:26.860983+00:00", "value": {"mitigation_remediation": ["Upgrade the SumUp Payment Gateway For WooCommerce plugin to the latest available version (ideally > 2.7.9).", "If an upgrade is not immediately possible, uninstall or disable the plugin until a fixed version is released.", "After ensuring the plugin is up to date, restrict WordPress user roles to the minimum capabilities required to manage the plugin, ensuring only trusted administrators can modify its settings.", "Optionally, monitor site logs for unauthorized access attempts to the plugin\u2019s configuration pages so that any exploitation can be detected early."], "summary": {"action": "Apply update", "impact": "Broken access control allowing unauthorized use of plugin functions"}, "threat_synthesis": {"affected_systems": "All installations of the SumUp Payment Gateway For WooCommerce WordPress plugin running version 2.7.9 or earlier are affected. The specific product is the SumUp Payment Gateway For WooCommerce plugin deployed on WordPress sites; no other vendors or products are listed as impacted.", "description_and_impact": "The vulnerability is a missing authorization flaw, classified under CWE-862, that permits attackers to manipulate or access features provided by the SumUp Payment Gateway For WooCommerce plugin without proper privileges. An attacker who can reach the plugin\u2019s administrative interfaces could change payment settings, override security levels, or view transaction data that should be protected. The medium\u2011severity CVSS score of 5.3 indicates that while the flaw is not trivial, it can still lead to significant business impact if exploited.", "risk_and_exploitability": "The estimated exploitation probability is very low (EPSS < 1%) and the flaw is not present in the CISA KEV catalog, suggesting that it is not currently the focus of widespread attacks. However, the vulnerability can be leveraged by a user who has at least some level of access to the WordPress site, possibly via social engineering or exploitation of other weaknesses. Once reached, the attacker can perform non\u2011destructive but potentially damaging configuration changes or data retrieval, raising confidentiality and integrity concerns. The risk is considered moderate, but timely remediation is advised to prevent potential abuse."}}}}, "created": "2026-01-26T11:52:46.813908+00:00", "updated": "2026-04-16T01:45:20.656233+00:00", "vendors": ["sumup", "sumup$PRODUCT$payment_gateway_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}