ThemesGrove WP SmartPay Authentication Bypass Vulnerability Allowing Account Takeover

A vulnerability allowing authentication bypass via an alternate path or channel has been identified in the ThemesGrove WP SmartPay plugin, affecting versions through 2.7.13. This vulnerability allows for authentication abuse, potentially leading to unauthorized actions on behalf of users with higher privileges.

Impact

Exploitation of this vulnerability could allow a malicious actor to bypass authentication mechanisms, leading to unauthorized access and actions within the application, particularly those reserved for higher privileged users. In this case, it could allow an attacker to gain administrative access to the WordPress site.

Remediation

Users of the WP SmartPay plugin are advised to update to the latest version. For those unable to update immediately, Patchstack offers a virtual patch that can be applied to mitigate this vulnerability until an official fix is available.