Cyber Posture

CVE-2026-27073

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0004 12.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27073 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the hard-coded credentials vulnerability by requiring prompt remediation through patching or updating the affected WordPress plugin to a non-vulnerable version.

IA-5 Authenticator Management good match
prevent

Prohibits the use of hard-coded authenticators, directly countering CWE-798 exploitation in the plugin's password recovery mechanism.

CM-11 User-installed Software partial match
prevent

Requires checking and prohibiting installation of unapproved or vulnerable user-installed software like the Addi WordPress plugin containing hard-coded credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated broken authentication (hard-coded credentials) in public-facing WordPress plugin directly enables T1190 Exploit Public-Facing Application for initial access and password recovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of Hard-coded Credentials vulnerability in Addi Addi &#8211; Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi &#8211; Cuotas que se adaptan a ti: from n/a through <= 2.0.4.

Deeper analysisAI

CVE-2026-27073 is a Use of Hard-coded Credentials vulnerability (CWE-798) in the WordPress plugin Addi – Cuotas que se adaptan a ti, a buy-now-pay-later solution identified as buy-now-pay-later-addi. The issue affects all versions from n/a through 2.0.4 and enables password recovery exploitation. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to network accessibility and integrity impact.

An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows password recovery, resulting in high integrity impact (I:H) while preserving confidentiality and availability.

The Patchstack advisory documents this as a broken authentication vulnerability in the Addi – Cuotas que se adaptan a ti WordPress plugin version 2.0.4. Practitioners should consult the advisory at https://patchstack.com/database/Wordpress/Plugin/buy-now-pay-later-addi/vulnerability/wordpress-addi-cuotas-que-se-adaptan-a-ti-plugin-2-0-4-broken-authentication-vulnerability?_s_id=cve for mitigation details, such as available patches or updates.

Details

CWE(s)
CWE-798

CVEs Like This One

CVE-2020-36911Shared CWE-798
CVE-2026-32834Shared CWE-798
CVE-2026-30701Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2025-7401Shared CWE-798
CVE-2025-1393Shared CWE-798
CVE-2026-25202Shared CWE-798
CVE-2025-55262Shared CWE-798
CVE-2024-8893Shared CWE-798

References