The vulnerability identified as CVE-2024-5861 affects the WP EasyPay – Square for WordPress plugin, a widely used integration that enables WordPress sites to accept payments via Square. The root cause is a missing authorization check (CWE-862) in the wpep_square_disconnect() function, which handles the disconnection of the Square payment gateway. Because this function lacks a capability check, unauthenticated attackers can invoke it remotely, disconnecting the Square payment integration without any credentials or user interaction. This vulnerability impacts all versions of the plugin up to and including 4.2.3. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N). The impact is limited to integrity, as attackers can modify the payment configuration by disconnecting Square, but confidentiality and availability remain unaffected. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. However, the ability to disrupt payment processing can have significant operational and reputational consequences for affected websites. The vulnerability was publicly disclosed on July 24, 2024, and assigned by Wordfence.

The primary impact of CVE-2024-5861 is the unauthorized modification of payment gateway configuration, specifically the disconnection of the Square payment service on affected WordPress sites. This can lead to disruption of payment processing, resulting in lost sales and customer dissatisfaction. Although the vulnerability does not expose sensitive data or cause denial of service, the integrity compromise can undermine trust in the affected e-commerce platforms. Attackers could exploit this flaw to cause intermittent or prolonged payment outages, potentially impacting revenue streams. Organizations relying on WP EasyPay – Square for WordPress for their payment processing are at risk of operational disruption. The ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic attacks, especially on high-traffic commercial websites. While no known exploits are currently in the wild, the vulnerability’s public disclosure may prompt attackers to develop exploit tools.

To mitigate CVE-2024-5861, organizations should immediately update the WP EasyPay – Square for WordPress plugin to a version that includes the missing authorization check once released by the vendor. Until a patch is available, administrators can implement the following practical measures: 1) Restrict access to the WordPress REST API endpoints or AJAX handlers associated with the wpep_square_disconnect() function using web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. 2) Monitor logs for suspicious requests targeting the disconnect function and alert on anomalies. 3) Employ WordPress security plugins that can enforce capability checks or limit access to sensitive plugin functions. 4) Regularly audit and review payment gateway configurations to detect unauthorized changes promptly. 5) Educate site administrators about the vulnerability and the importance of timely updates. These steps help reduce the attack surface and detect exploitation attempts before the official patch is applied.