CVE-2026-39609
MEDIUM · 5.3Real vuln, no KEV/patch, defensive chatter; unclear if mass scanning observed.
What: Missing authorization in Wava Payment WordPress plugin ≤0.3.7 exposes AJAX endpoints to unauthenticated access, allowing log export and settings tampering (CVSS 5.3 MEDIUM).
Why it matters: No patch released; attackers can extract logs and modify plugin settings without authentication. Not KEV-listed yet, but chatter emphasizes active risk—defenders advised to deploy WAF rules immediately. Real exposure window exists while vendor remains silent.
Where it's seen: Security researcher posting identical warnings across Twitter and Bluesky, linking to detailed advisory. Framing as "no patch" and urgent mitigation need suggests working knowledge of the flaw, though no explicit PoC code shared in excerpts.
RISK: MODERATE — Unauthenticated access to sensitive functions; no patch; low CVSS limits blast radius.
› NVD details 1 CWE ·0 vendors · 1 ref expand
Description
Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.3.7.
Weaknesses
Top posts driving the trend
@HugoValtersX · 5/3/2026CVE-2026-39609: Wava Payment plugin <=0.3.7 missing auth on AJAX endpoints. No patch. Unauthenticated log export, settings tamper. WAF rules or bust. #CVE #WordPress #APIsecurity #Developers #infosec #cybersecurity #devsecops #sysadmin info: https://t.co/aVaS5aPL8L
♥ 0 · ↻ 0 · 💬 0- @hugovalters.bsky.socialBluesky · 5/3/2026
CVE-2026-39609: Wava Payment plugin <=0.3.7 missing auth on AJAX endpoints. No patch. Unauthenticated log export, settings tamper. WAF rules or bust. #CVE #WordPress #APIsecurity https://www.valtersit.com/cve/2026/04/cve-2026-39609/
♥ 0 · ↻ 0 · 💬 0
