CVE-2026-3461

Description

The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` function logging users in based solely on a user-supplied billing email address during guest checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by providing the target user's email address in the billing_details parameter, resulting in complete account takeover and site compromise.

PUBLISHED Reserved 2026-03-02 | Published 2026-04-15 | Updated 2026-04-15 | Assigner Wordfence

Problem types

CWE-288 Authentication Bypass Using an Alternate Path or Channel

Product status

Timeline

Credits

Jude Nwadinobi finder

References

www.wordfence.com/...-d7a0-44bd-94dc-3bad0d27dbd8?source=cve

plugins.trac.wordpress.org/...-gateway-expresspay-public.php

plugins.trac.wordpress.org/...-gateway-expresspay-public.php

plugins.trac.wordpress.org/...-gateway-expresspay-public.php

plugins.trac.wordpress.org/...-gateway-expresspay-public.php

cve.org (CVE-2026-3461)

nvd.nist.gov (CVE-2026-3461)

Download JSON