Cyber Resilience

CVE-2026-3461

Critical

Published: 15 April 2026

Published
15 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 37.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-3461 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3461 is an authentication bypass vulnerability in the Visa Acceptance Solutions plugin for WordPress, affecting all versions up to and including 2.1.0. The flaw originates in the `express_pay_product_page_pay_for_order()` function, which automatically logs in users during guest checkout for subscription products based solely on a user-supplied billing email address. This occurs without verifying email ownership, requiring a password, or validating a one-time token.

Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no privileges by submitting the target user's email address in the billing_details parameter during the affected checkout process. Successful exploitation grants login access as any existing user, including administrators, enabling complete account takeover and full site compromise. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

References to the vulnerability include code excerpts from the WordPress plugin trac repository, pinpointing lines 777 and 790 in public/class-visa-acceptance-payment-gateway-expresspay-public.php for both the tagged 2.1.0 release and the trunk branch. The Wordfence threat intelligence advisory provides additional details on the issue via its vulnerability ID page.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` function logging users in based solely on a user-supplied billing email address during guest…

more

checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by providing the target user's email address in the billing_details parameter, resulting in complete account takeover and site compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications for unauthenticated remote account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Explicitly authorizes and limits actions performable without identification or authentication, directly preventing the plugin's automatic login based solely on unverified user-supplied email during guest checkout.

prevent

Requires identification and authentication of non-organizational users before granting access to systems like WordPress sites, countering the bypass that logs in users without verifying credentials or email ownership.

prevent

Enforces approved authorizations for logical access, addressing the failure to require proper authentication before granting user sessions in the vulnerable checkout function.

References