PatchSiren cyber security CVE debrief
CVE-2026-12738 saadiqbal CVE debrief
The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to 'draft', effectively unpublishing arbitrary site content. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM.
- Vendor
- saadiqbal
- Product
- WP Easy Pay – Payment and Donation form Builder for Square
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites. Site administrators and security teams should review the vulnerability details and plan for updates or mitigations through normal change control.
Technical summary
The vulnerability exists due to improper authorization checks in the WP Easy Pay – Payment and Donation form Builder for Square plugin. An authenticated attacker with subscriber-level access can exploit this to change the status of arbitrary posts and pages to 'draft', effectively unpublishing them. The plugin does not properly verify that a user is authorized to perform an action, leading to this authorization bypass vulnerability.
Defensive priority
Medium
Recommended defensive actions
- Update WP Easy Pay – Payment and Donation form Builder for Square plugin to a version beyond 4.5.0
- Restrict access to sensitive areas of the WordPress site
- Monitor site activity for unauthorized changes
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-11T07:16:45.770Z and has not been modified since then. The NVD entry is currently in the 'Received' state. The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This vulnerability allows authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to 'draft', effectively unpublishing arbitrary site content. The CVE record does not provide further details on the vulnerability, so defenders should verify the affected scope and severity with the vendor and consider compensating controls.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.770Z and has not been modified since then. The NVD entry is currently in the 'Received' state.