CVE-2026-3461
Visa · Acceptance Solutions plugin for WordPress
The Visa Acceptance Solutions plugin for WordPress contains an authentication bypass flaw allowing unauthenticated users to hijack any account by providing a target user's email address.
Executive summary
An authentication bypass vulnerability in the Visa Acceptance Solutions plugin for WordPress allows unauthenticated attackers to perform account takeovers of any user, including administrators.
Vulnerability
The plugin fails to verify email ownership during guest checkout, allowing an unauthenticated attacker to log in as any existing user by supplying their email address in the billing parameters.
Business impact
Successful exploitation results in full account takeover, granting attackers administrative access to the WordPress site. With a CVSS score of 9.8, this vulnerability poses an extreme risk of data theft, unauthorized site modification, and potential distribution of malicious content to users, directly impacting organizational security and customer trust.
Remediation
Immediate Action: Update the Visa Acceptance Solutions plugin to the latest available version provided by the vendor.
Proactive Monitoring: Audit user account logs for unexpected login activity or unauthorized changes to administrative account profiles.
Compensating Controls: If an update is unavailable, disable the guest checkout functionality or the plugin entirely until a patch can be verified and deployed.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the ease of exploitation and the critical impact of administrative account takeover, organizations must treat this as an urgent remediation task. Apply the vendor-provided patch immediately to prevent unauthorized access to sensitive WordPress instances.