{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27073", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-03-25T16:14:54.270Z", "dateUpdated": "2026-04-28T16:15:01.171Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "buy-now-pay-later-addi", "product": "Addi \u2013 Cuotas que se adaptan a ti", "vendor": "Addi", "versions": [{"lessThanOrEqual": "2.0.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:20.521Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use of Hard-coded Credentials vulnerability in Addi Addi \u2013 Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.<p>This issue affects Addi \u2013 Cuotas que se adaptan a ti: from n/a through <= 2.0.4.</p>"}], "value": "Use of Hard-coded Credentials vulnerability in Addi Addi \u2013 Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi \u2013 Cuotas que se adaptan a ti: from n/a through <= 2.0.4."}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "Password Recovery Exploitation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.171Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/buy-now-pay-later-addi/vulnerability/wordpress-addi-cuotas-que-se-adaptan-a-ti-plugin-2-0-4-broken-authentication-vulnerability?_s_id=cve"}], "title": "WordPress Addi \u2013 Cuotas que se adaptan a ti plugin <= 2.0.4 - Broken Authentication vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:04:58.287416Z", "id": "CVE-2026-27073", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:52:18.599Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27073", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:04:58.287416Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:04:54.958Z"}}], "cna": {"title": "WordPress Addi \u2013 Cuotas que se adaptan a ti plugin <= 2.0.4 - Broken Authentication vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "Password Recovery Exploitation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Addi", "product": "Addi &#8211; Cuotas que se adaptan a ti", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.4"}], "packageName": "buy-now-pay-later-addi", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:20.521Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/buy-now-pay-later-addi/vulnerability/wordpress-addi-cuotas-que-se-adaptan-a-ti-plugin-2-0-4-broken-authentication-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4.", "supportingMedia": [{"type": "text/html", "value": "Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.<p>This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:10.550Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27073", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:52:18.599Z", "dateReserved": "2026-02-17T13:23:51.341Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:54.270Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials vulnerability in Addi Addi \u2013 Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi \u2013 Cuotas que se adaptan a ti: from n/a through <= 2.0.4."}, {"lang": "es", "value": "Vulnerabilidad de uso de credenciales codificadas de forma r\u00edgida en Addi Addi \u2013 Cuotas que se adaptan a ti buy-now-pay-later-addi permite la explotaci\u00f3n de la recuperaci\u00f3n de contrase\u00f1a. Este problema afecta a Addi \u2013 Cuotas que se adaptan a ti: desde n/a hasta &lt;= 2.0.4."}], "id": "CVE-2026-27073", "lastModified": "2026-04-28T19:37:12.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:54.793", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/buy-now-pay-later-addi/vulnerability/wordpress-addi-cuotas-que-se-adaptan-a-ti-plugin-2-0-4-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Addi &#8211; Cuotas que se adaptan a ti", "source": "cna", "vendor": "Addi"}, "product": "addi_&#8211;_cuotas_que_se_adaptan_a_ti", "vendor": "addi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-29T01:57:56.788643+00:00", "value": {"mitigation_remediation": ["Update the Addi plugin to a version newer than 2.0.4 once it becomes available.", "If an update is not immediately available, remove or disable the plugin to eliminate the exposed credentials.", "Change all administrative passwords and review user accounts for any suspicious activity.", "Monitor site logs to detect any unauthorized login attempts or behavioral anomalies."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access (login), potential administrative takeover"}, "threat_synthesis": {"affected_systems": "Addi \u2013 Cuotas que se adaptan a ti WordPress plugin, version 2.0.4 and earlier. The vulnerability affects all installations using these plugin versions on any WordPress site.", "description_and_impact": "The vulnerability exposes hard\u2011coded credentials that can be exploited via the password\u2011recovery feature of the Addi \u2013 Cuotas que se adaptan a ti WordPress plugin (versions up through 2.0.4). By abusing this flaw, an attacker can authenticate without legitimate user credentials and gain administrative access. This privileged access allows modification of site settings, data compromise, and potential use of the site for further attacks. The weakness is identified as CWE\u2011798.", "risk_and_exploitability": "The CVSS score of 7.5 classifies the issue as high severity. EPSS indicates a very low probability of exploitation (<1%), and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that attackers can trigger the flaw via the publicly accessible password recovery endpoint, indicating a remote and unauthenticated attack vector. While the vulnerability does not directly allow arbitrary code execution, it gives attackers complete control through the administrative interface."}}}}, "created": "2026-03-25T21:44:03.162501+00:00", "updated": "2026-04-29T02:00:27.287134+00:00", "vendors": ["addi", "addi$PRODUCT$addi_&#8211;_cuotas_que_se_adaptan_a_ti", "wordpress", "wordpress$PRODUCT$wordpress"]}