CVE-2026-3461

Name of the Vulnerable Software and Affected Versions Visa Acceptance Solutions versions prior to 2.1.1

Description The Visa Acceptance Solutions plugin for WordPress allows unauthenticated attackers to log in as any existing user, including administrators. This occurs because the express pay product page pay for order() function logs users in based solely on a user-supplied billing email address during guest checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. An attacker can achieve complete account takeover and site compromise by providing the target user's email address in the billing details parameter.

Recommendations Update the plugin to a version later than 2.1.0.