A critical Missing Authorization vulnerability, identified as CVE-2025-66131, has been discovered in the Yaad Sarig Payment Gateway For WC WordPress plugin. This flaw allows an attacker to bypass security controls and perform unauthorized actions, potentially leading to financial fraud, data theft, or full website compromise. Due to its critical severity rating (CVSS 9.1), immediate remediation is required to protect sensitive payment data and maintain operational integrity.

The vulnerability is a "Missing Authorization" flaw. The plugin fails to properly verify if a user has the required permissions before allowing them to execute certain sensitive functions. An unauthenticated or low-privileged attacker can craft specific requests to the plugin's endpoints to access and manipulate features that should be restricted to administrators. This could include viewing transaction logs, altering payment gateway settings, or potentially initiating fraudulent refunds or transactions.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have severe consequences for any organization using the affected plugin. The primary risks include direct financial loss through fraudulent transactions or unauthorized fund transfers. Furthermore, a successful attack could lead to a data breach, exposing sensitive customer payment information and transaction histories, resulting in significant reputational damage, customer distrust, and potential regulatory fines for non-compliance with standards like PCI DSS.

Immediate Action: Organizations must immediately update the "Yaad Sarig Payment Gateway For WC" plugin to the latest secure version (greater than 2.2.10) as recommended by the vendor. After patching, system administrators should verify that the update was successful and the payment gateway is functioning correctly. It is also crucial to review access logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Continuously monitor web server access logs for unusual or direct requests to the plugin's PHP files or API endpoints, especially from unexpected IP addresses or unauthenticated users. Scrutinize logs for any unauthorized configuration changes, refund requests, or data export activities related to the payment gateway. Employ security information and event management (SIEM) systems to set up alerts for suspicious patterns indicative of exploitation attempts.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Implement a Web Application Firewall (WAF) with rules specifically tailored to block unauthorized access to the plugin's sensitive functions.
• Temporarily disable the Yaad Sarig payment gateway until the patch can be safely deployed.
• Restrict administrative access to the WordPress dashboard at the network level, allowing connections only from trusted IP addresses.

Public Exploit Available: False

Given the critical CVSS score of 9.1 and the direct risk to financial and customer data, we strongly recommend that all organizations using the Yaad Sarig Payment Gateway For WC plugin apply the security update immediately. This vulnerability represents a significant and direct threat to business operations. While it is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. Prioritize the remediation plan outlined above to prevent financial loss, data breaches, and reputational harm.