{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25469", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.642Z", "datePublished": "2026-03-25T16:14:51.967Z", "dateUpdated": "2026-04-28T16:14:59.669Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "viabill-woocommerce", "product": "ViaBill \u2013 WooCommerce", "vendor": "ViaBill for WooCommerce", "versions": [{"lessThanOrEqual": "1.1.53", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:24.290Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill \u2013 WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ViaBill \u2013 WooCommerce: from n/a through <= 1.1.53.</p>"}], "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill \u2013 WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ViaBill \u2013 WooCommerce: from n/a through <= 1.1.53."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.669Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/viabill-woocommerce/vulnerability/wordpress-viabill-woocommerce-plugin-1-1-53-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress ViaBill \u2013 WooCommerce plugin <= 1.1.53 - Settings Change vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:31:48.512338Z", "id": "CVE-2026-25469", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:46:51.888Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25469", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.642Z", "datePublished": "2026-03-25T16:14:51.967Z", "dateUpdated": "2026-04-28T01:46:51.888Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "viabill-woocommerce", "product": "ViaBill &#8211; WooCommerce", "vendor": "ViaBill for WooCommerce", "versions": [{"lessThanOrEqual": "1.1.53", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:24.290Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill &#8211; WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ViaBill &#8211; WooCommerce: from n/a through <= 1.1.53.</p>"}], "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill &#8211; WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ViaBill &#8211; WooCommerce: from n/a through <= 1.1.53."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.988Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/viabill-woocommerce/vulnerability/wordpress-viabill-woocommerce-plugin-1-1-53-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress ViaBill \u2013 WooCommerce plugin <= 1.1.53 - Settings Change vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25469", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:31:48.512338Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:31:49.456Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill \u2013 WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ViaBill \u2013 WooCommerce: from n/a through <= 1.1.53."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ViaBill para WooCommerce ViaBill \u2013 WooCommerce viabill-woocommerce permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a ViaBill \u2013 WooCommerce: desde n/a hasta &lt;= 1.1.53."}], "id": "CVE-2026-25469", "lastModified": "2026-04-28T19:37:07.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:52.827", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/viabill-woocommerce/vulnerability/wordpress-viabill-woocommerce-plugin-1-1-53-settings-change-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.53]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ViaBill &#8211; WooCommerce", "source": "cna", "vendor": "ViaBill for WooCommerce"}, "product": "viabill_&#8211;_woocommerce", "vendor": "viabill_for_woocommerce"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-29T00:38:30.051528+00:00", "value": {"mitigation_remediation": ["Upgrade the ViaBill \u2013 WooCommerce plugin to a version newer than 1.1.53", "Ensure that only administrator accounts can edit plugin settings", "Monitor site logs for unexpected configuration changes", "Implement role\u2011based access controls and enable two\u2011factor authentication for administrative accounts"], "summary": {"action": "Patch Now", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the ViaBill \u2013 WooCommerce plugin version 1.1.53 or earlier are affected. Any site relying on this plugin for payment handling is vulnerable to unauthorized configuration changes.", "description_and_impact": "The ViaBill \u2013 WooCommerce plugin up to version 1.1.53 suffers from a missing authorization flaw that permits exploitation of incorrectly configured access control levels. As a result, an attacker can change the plugin\u2019s configuration settings without proper authentication. This CWE\u2011862 vulnerability can alter payment processing parameters and affect how the plugin operates within WordPress, potentially compromising transaction integrity and exposing sensitive financial data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests low current exploit activity and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the plugin\u2019s settings interface, which can be accessed by any authenticated user who has permission to view or edit the settings. Based on the description, it is inferred that such an attacker could alter configuration values, potentially enabling unauthorized payment routes or disabling security checks. Although exploitation probability is low at present, the ability to change core settings increases risk until the plugin is updated or otherwise mitigated."}}}}, "created": "2026-03-25T21:44:15.407913+00:00", "updated": "2026-04-29T00:45:26.159984+00:00", "vendors": ["viabill_for_woocommerce", "viabill_for_woocommerce$PRODUCT$viabill_&#8211;_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}