A critical broken access control vulnerability in the Paymob for WooCommerce plugin exposes payment-related configurations to unauthenticated attackers, creating a high risk of unauthorized system manipulation.

The vulnerability consists of a broken access control mechanism that fails to validate the identity of users attempting to access sensitive administrative or configuration functions. This allows unauthenticated external actors to interact with the plugin’s backend logic.

Exploitation of this flaw could allow an attacker to alter payment gateway settings or access sensitive transaction data, directly threatening the security of customer financial information. With a CVSS score of 7.5, this vulnerability is considered a high-risk entry point that could lead to widespread service disruption and potential regulatory non-compliance regarding payment data handling.

Immediate Action: Apply the latest security patch released by Paymob for the affected WooCommerce integration immediately.

Proactive Monitoring: Monitor database transaction logs and plugin-specific logs for irregular activity or unauthorized configuration changes.

Compensating Controls: Deploy WAF rules to restrict access to sensitive plugin paths to known administrative IP addresses, effectively shielding the vulnerable endpoints from public exposure.

Public Exploit Available: false

Security teams should treat this vulnerability with high urgency given its direct impact on payment processing infrastructure. Immediate patching is required to secure the transaction environment. If an update is not immediately available, restrict access to the WooCommerce administrative interface to authorized personnel only.