Vulnerability Brief
CVE-2026-3462
What this means for your business
A security vulnerability in the Frisbii Pay plugin for WordPress could allow an attacker with basic access to your site to upload and change sensitive payment information, potentially leading to financial losses or compromised customer data. This could happen if an attacker finds a way to exploit the vulnerability, even if they don't have advanced technical skills. To protect your business, it's essential to update the plugin to the latest version or remove it altogether if you no longer use it.
- Severity: MEDIUM
- CVSS score: 6.5
Technical summary
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.