PT-2025-27068 · WordPress · Simple Payment
Kenneth Dunn
·
Published
2025-06-27
·
Updated
2025-07-02
·
CVE-2025-6688
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Simple Payment plugin for WordPress versions 1.3.6 through 2.3.8
Description:
The issue is related to Authentication Bypass, which occurs because the plugin does not properly verify a user's identity prior to logging them in through the
create user() function. This allows unauthenticated attackers to log in as administrative users.Recommendations:
For versions 1.3.6 through 2.3.8, consider disabling the
create user() function until a patch is available to prevent exploitation. Restrict access to administrative user accounts to minimize the risk of unauthorized access.Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simple Payment