cvedb.io
CVE-2023-28121
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2023-04-12T21:15:28.057 · Last modified 2026-06-17T05:46:55.107

Summary

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

Affected products

automattic — woocommerce_payments

Does this affect you?

Add your gear to cvedb and we'll alert you only when automattic ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.