Unauthenticated Privilege Escalation in Paytium <= 5.0.2 versions.
The vulnerability classified as CWE-266 (Incorrect Privilege Assignment) involves improper privilege assignment in the Paytium plugin logic. A remote attacker, without having any account in the system, is able to invoke plugin functionality and obtain a higher privilege level than they should be entitled to. The detailed mechanism of triggering the vulnerability is described in the vendor references.
An unauthenticated attacker can obtain elevated privileges in the WordPress system, which in practice can lead to takeover of the website, content modification, data theft, or installation of malicious software.
The Paytium plugin should be updated immediately to a version higher than 5.0.2. Detailed information about the available patch can be found in the vendor references at patchstack.com.
Paytium plugin for WordPress versions 5.0.2 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H