CVE-2026-40741: WordPress Redsys for WooCommerce Light plugin <= 7.0.0 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the Redsys for WooCommerce Light WordPress plugin at version 7.0.0 and below. The vulnerability is reachable over the network without any authentication, and requires no user interaction to trigger. Successful exploitation allows an attacker to tamper with data or perform unauthorized actions at high impact to integrity. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle this plugin. Any image in a customer registry or CI pipeline containing an affected version of Redsys for WooCommerce Light is flagged automatically.
AvailableHarborGuard can score this finding at CVSS 7.5 (HIGH) and weight it against each environment's per-organization compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team or inbox within each customer org.
AvailableNo fix version has been published by the vendor for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, findings remain open and resurface automatically if affected images are pushed again.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker can reach it remotely without any foothold on the host.
- AuthenticationNot required
No account or session credential of any kind is needed to trigger the vulnerability.
- Victim interactionNot required
The attack completes without any action from a legitimate user or administrator.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or environmental dependencies required.
Blast Radius
- An unauthenticated attacker can bypass access controls and perform unauthorized write-level operations against the plugin's functionality.
- Order data, payment callback handling, or plugin configuration records may be modified or manipulated without any legitimate user credential.
- The confidentiality of stored data is not directly impacted, but integrity loss can have downstream effects on transaction records or payment flows.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists for this CVE yet, HarborGuard continuously monitors the advisory across every ingest cycle and will surface a patched-image rebuild the moment the vendor ships a fix. For customers who opt into auto-remediation, that rebuild will trigger a regression run and a PR opened against affected workloads automatically. While no fix is available, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to the WordPress admin and plugin callback endpoints, egress filtering to limit what the plugin can reach externally, and disabling or uninstalling the plugin entirely if Redsys payment processing is not actively in use. Open findings for this CVE will remain visible in the HarborGuard dashboard and re-trigger on any new push of an affected image.
- Jose Conti / Redsys for WooCommerce Light≤ 7.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N