{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32387", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:04.190Z", "datePublished": "2026-03-13T11:42:10.082Z", "dateUpdated": "2026-04-29T09:51:58.338Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "checkout-for-paypal", "product": "Checkout for PayPal", "vendor": "Noor Alam", "versions": [{"changes": [{"at": "1.0.47", "status": "unaffected"}], "lessThanOrEqual": "1.0.46", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:19.286Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Noor Alam Checkout for PayPal checkout-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Checkout for PayPal: from n/a through <= 1.0.46.</p>"}], "value": "Missing Authorization vulnerability in Noor Alam Checkout for PayPal checkout-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout for PayPal: from n/a through <= 1.0.46."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:58.338Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/checkout-for-paypal/vulnerability/wordpress-checkout-for-paypal-plugin-1-0-46-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Checkout for PayPal plugin <= 1.0.46 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T20:30:52.815829Z", "id": "CVE-2026-32387", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T20:32:26.111Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32387", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T20:30:52.815829Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T20:30:31.500Z"}}], "cna": {"title": "WordPress Checkout for PayPal plugin <= 1.0.46 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Noor Alam", "product": "Checkout for PayPal", "versions": [{"status": "affected", "changes": [{"at": "1.0.47", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.0.46"}], "packageName": "checkout-for-paypal", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:13.119Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/checkout-for-paypal/vulnerability/wordpress-checkout-for-paypal-plugin-1-0-46-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Noor Alam Checkout for PayPal checkout-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout for PayPal: from n/a through <= 1.0.46.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Noor Alam Checkout for PayPal checkout-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Checkout for PayPal: from n/a through <= 1.0.46.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:10.082Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32387", "state": "PUBLISHED", "dateUpdated": "2026-03-13T20:32:26.111Z", "dateReserved": "2026-03-12T11:11:04.190Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:10.082Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Noor Alam Checkout for PayPal checkout-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout for PayPal: from n/a through <= 1.0.46."}, {"lang": "es", "value": "Vulnerabilidad por Autorizaci\u00f3n Faltante en Noor Alam Checkout for PayPal checkout-for-paypal permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Checkout for PayPal: desde n/a hasta &lt;= 1.0.46."}], "id": "CVE-2026-32387", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:54.100", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/checkout-for-paypal/vulnerability/wordpress-checkout-for-paypal-plugin-1-0-46-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.46]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.0.47"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "Checkout for PayPal", "source": "cna", "vendor": "Noor Alam"}, "product": "checkout_for_paypal", "vendor": "noorsplugin"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T14:54:21.026882+00:00", "value": {"mitigation_remediation": ["Upgrade the Checkout for PayPal plugin to any version newer than 1.0.46 if available.", "If an upgrade is not feasible, temporarily deactivate or remove the plugin to eliminate the risk.", "Implement strict role\u2011based access controls and verify that only trusted users have administrative privileges to the WordPress site.", "Review audit logs for suspicious activity and consider enabling additional logging for checkout\u2011related operations."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Vulnerable systems run the Noor Alam Checkout for PayPal WordPress plugin version 1.0.46 or older. No specific sub\u2011versions are excluded; the entire range from the first release up to and including 1.0.46 is affected. Only WordPress installations using this plugin are impacted.", "description_and_impact": "Missing authorization in the Noor Alam Checkout for PayPal WordPress plugin enables an attacker to abuse incorrectly configured access control levels, allowing unauthorized actions such as viewing or modifying checkout settings. This vulnerability is classified as a broken access control weakness (CWE-862) and can lead to confidentiality, integrity, or availability impact on the e\u2011commerce site. It is not a remote code execution flaw but provides an attacker with elevated privileges beyond what is intended.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating moderate severity. EPSS is below 1\u2009%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers could potentially exploit the issue by sending specially crafted requests to plugin endpoints that lack proper authorization checks. Because the flaw originates from missing access control, it is likely limited to users who can reach the plugin\u2019s administration pages but can bypass the intended permission model."}}}}, "created": "2026-03-16T09:34:23.308173+00:00", "updated": "2026-03-23T12:04:12.698262+00:00", "vendors": ["noorsplugin", "noorsplugin$PRODUCT$checkout_for_paypal", "wordpress", "wordpress$PRODUCT$wordpress"]}