PatchSiren cyber security CVE debrief
CVE-2026-42763 SePay team CVE debrief
A Missing Authorization vulnerability in the SePay Gateway WordPress plugin allows authenticated attackers with low privileges to retrieve embedded sensitive data. The vulnerability exists in versions up to and including 1.1.20. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact. The vulnerability is classified under CWE-862 (Missing Authorization). The NVD entry status is currently 'Deferred'. No known exploitation in ransomware campaigns has been reported.
- Vendor
- SePay team
- Product
- SePay Gateway
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using the SePay Gateway plugin; security teams monitoring payment gateway integrations; developers responsible for WordPress plugin security assessments
Technical summary
The SePay Gateway WordPress plugin contains a Missing Authorization vulnerability (CWE-862) that permits authenticated users with low privileges to retrieve embedded sensitive data. The issue affects all versions through 1.1.20. The vulnerability has a CVSS 3.1 score of 6.5 (MEDIUM) with primary impact to confidentiality. No integrity or availability impacts are associated with this vulnerability.
Defensive priority
medium
Recommended defensive actions
- Upgrade SePay Gateway WordPress plugin to a version newer than 1.1.20 if available
- Review and restrict user roles with access to plugin functionality
- Monitor access logs for unauthorized data retrieval attempts
- Apply principle of least privilege for WordPress user accounts
- Verify plugin authorization controls enforce proper access restrictions
Evidence notes
Vulnerability disclosed via Patchstack and indexed in NVD. Affected product identified as SePay Gateway WordPress plugin versions through 1.1.20. CVSS 3.1 score of 6.5 (MEDIUM) assigned. Weakness classified as CWE-862 (Missing Authorization).
Official resources
-
CVE-2026-42763 CVE record
CVE.org
-
CVE-2026-42763 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-25