PatchSiren cyber security CVE debrief
CVE-2026-3462 reepaydenmark CVE debrief
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. The CVE record was published on June 27, 2026, and last modified on June 29, 2026. The vulnerability was reported by [email protected].
- Vendor
- reepaydenmark
- Product
- Frisbii Pay
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-27
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-27
- Advisory updated
- 2026-06-29
Who should care
Administrators of WordPress installations using the Frisbii Pay plugin should be aware of this vulnerability and take steps to remediate it. Specifically, they should ensure that the plugin is updated to a version that includes the necessary capability checks. Additionally, site administrators should review their user access controls to prevent unauthorized modifications.
Technical summary
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating a medium severity vulnerability. The vulnerability was reported via multiple references, including specific lines of code in the plugin's files.
Defensive priority
This vulnerability should be prioritized for remediation due to its potential impact on data integrity and the moderate level of access required to exploit it. Site administrators should update the Frisbii Pay plugin to a version that addresses this vulnerability and review user access controls.
Recommended defensive actions
- Update the Frisbii Pay plugin to a version that includes the necessary capability checks.
- Review user access controls to prevent unauthorized modifications.
- Monitor for suspicious activity related to CSV uploads and data modifications.
- Implement additional security measures to restrict access to sensitive data and functionality.
- Regularly review and update plugins and themes to ensure they are current and secure.
Evidence notes
The vulnerability was reported by [email protected] and is characterized by a lack of capability checks in the 'upload_csv' and 'process_batch' functions of the Frisbii Pay plugin. The CVE record was published on June 27, 2026, and last modified on June 29, 2026. Multiple references were provided, including specific lines of code in the plugin's files.
Official resources
This article is AI-assisted and based on the supplied source corpus.