CVE-2026-49070: WordPress Knit Pay plugin <= 9.4.0.0 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the Knit Pay WordPress plugin at version 9.4.0.0 and earlier. The flaw is reachable over the network with no authentication required, meaning any remote visitor can trigger the affected functionality without holding a WordPress account. Successful exploitation allows an attacker to tamper with or corrupt payment-related data managed by the plugin, compromising data integrity. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-49070 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle the Knit Pay plugin. Any image in a connected registry or CI pipeline is eligible for matching automatically.
AvailableHarborGuard triage capability scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights results against each customer environment's compliance policy to surface the finding to the appropriate team inbox. Per-environment policy rules can elevate or suppress routing priority based on workload classification.
AvailableNo fix version has been published for this CVE. HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress installation over the network; no local or physical access is needed.
- AuthenticationNot required
No WordPress account or credentials of any kind are needed to trigger this vulnerability.
- Victim interactionNot required
The attacker does not need to trick or involve any authenticated user to carry out the attack.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are required.
Blast Radius
- An unauthenticated attacker can modify payment-related records or configuration managed by the Knit Pay plugin.
- Write access to plugin data may allow manipulation of payment statuses, order records, or gateway configuration, depending on the exposed endpoints.
- No confidentiality impact is indicated; stored data is not directly disclosed to the attacker.
- Service availability is not affected; the plugin and WordPress remain operational during and after exploitation.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-49070 is active across all connected registries and pipelines for any image bundling Knit Pay at or below version 9.4.0.0. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically once a fix version is published. In the interim, customers are advised to consider network-policy controls that restrict unauthenticated external access to the affected WordPress endpoints, and to review whether the plugin's access-controlled routes can be gated behind an authentication layer at the web-server or WAF level. For customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger without manual action the moment an upstream patch is available.
- Knit Pay / Knit Pay≤ 9.4.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N