How is CVE-2026-42655 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; there is no requirement for local or physical access. Authentication (not-required): No account or session credential is needed; the bypass can be attempted by an anonymous, unauthenticated request. Victim interaction (not-required): The attacker does not need to involve or deceive any user or administrator to trigger the vulnerability. Attack complexity (info): Attack complexity is rated High, meaning the attacker must engineer specific conditions, such as precise request sequencing or a particular checkout state, for the bypass to succeed reliably.

What is the impact of CVE-2026-42655?

An attacker can complete purchase flows without a valid payment, causing the merchant to fulfill orders for which no payment was collected. Payment integrity records are corrupted, as orders are marked paid in the system without a corresponding financial transaction. No confidential data is exposed and no service disruption is caused; the impact is confined to integrity of the payment pipeline.

Back to search

HIGHCVE-2026-42655Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42655: WordPress Best Payments Plugin for WP plugin <= 4.6.19 - Payment Bypass vulnerability

Q: What is CVE-2026-42655?

An authentication bypass vulnerability affects the Best Payments Plugin for WP by WPManageNinja at version 4.6.19 and earlier. The flaw is reachable over the network with no authentication required, though exploiting it reliably requires meeting certain environmental conditions derived from the high attack complexity rating. Successful exploitation allows an attacker to bypass payment verification, enabling fraudulent order completion or payment avoidance without tampering with underlying data or crashing the service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-42655 patched?

Because no upstream fix version has been published for CVE-2026-42655, HarborGuard re-checks the Patchstack advisory and NVD record on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the upstream patch ships.

Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects the Best Payments Plugin for WP by WPManageNinja at version 4.6.19 and earlier. The flaw is reachable over the network with no authentication required, though exploiting it reliably requires meeting certain environmental conditions derived from the high attack complexity rating. Successful exploitation allows an attacker to bypass payment verification, enabling fraudulent order completion or payment avoidance without tampering with underlying data or crashing the service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-42655 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds, including Patchstack, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle the affected plugin, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to reflect organizational risk tolerance. Triage routing directs the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-42655, HarborGuard re-checks the Patchstack advisory and NVD record on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the upstream patch ships.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; there is no requirement for local or physical access.
AuthenticationNot required
No account or session credential is needed; the bypass can be attempted by an anonymous, unauthenticated request.
Victim interactionNot required
The attacker does not need to involve or deceive any user or administrator to trigger the vulnerability.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must engineer specific conditions, such as precise request sequencing or a particular checkout state, for the bypass to succeed reliably.

Blast Radius

An attacker can complete purchase flows without a valid payment, causing the merchant to fulfill orders for which no payment was collected.
Payment integrity records are corrupted, as orders are marked paid in the system without a corresponding financial transaction.
No confidential data is exposed and no service disruption is caused; the impact is confined to integrity of the payment pipeline.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-42655 is monitored continuously because no upstream fix has been published yet. HarborGuard re-evaluates the Patchstack advisory on every ingest cycle, so a patched-image rebuild becomes available automatically when WPManageNinja ships a fix. In the interim, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to payment-processing endpoints, egress filtering to limit where payment callbacks can originate, and feature-flag or WAF-level gating on the affected checkout flow. For customers who opt into auto-remediation, the moment a fix version is published the platform will trigger a rebuild, run regression tests, and open a PR against affected workloads without requiring manual action.

See how HarborGuard automates this

Affected packages

WPManageNinja / Best Payments Plugin for WP
≤ 4.6.19

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

patchstack.com

Metrics

Get notified