CVE-2025-49339 identifies a Missing Authorization vulnerability (CWE-862) in the Digages Direct Payments WP plugin, versions up to 1.3.0. This vulnerability arises from incorrectly configured access control security levels within the plugin, allowing users with limited privileges (PR:L) to perform unauthorized actions. The vulnerability does not require user interaction (UI:N) and can be exploited remotely (AV:N) over the network. The impact primarily affects the integrity of payment-related data or operations, as unauthorized users may manipulate payment processes or data without proper authorization checks. Confidentiality and availability remain unaffected. The CVSS v3.1 score is 4.3 (medium), reflecting the limited scope and impact. No patches or known exploits are currently available, indicating that the vulnerability is newly disclosed and unmitigated. The plugin is used within WordPress environments, commonly deployed in e-commerce and payment processing contexts. The vulnerability's root cause is a failure to enforce proper authorization checks on sensitive operations, which could lead to unauthorized modifications or fraudulent transactions if exploited. Organizations using this plugin should prioritize access control reviews and prepare for patch deployment once available.

For European organizations, this vulnerability poses a risk to the integrity of payment processing systems integrated via the Digages Direct Payments WP plugin. Unauthorized users with some privileges could manipulate payment data or transaction workflows, potentially leading to fraudulent transactions, financial discrepancies, or loss of trust from customers. While confidentiality and availability are not directly impacted, the integrity breach could cause regulatory compliance issues under GDPR and financial regulations, especially if payment data is altered or misused. E-commerce businesses and financial service providers relying on this plugin are particularly vulnerable. The absence of known exploits reduces immediate risk, but the medium severity rating and lack of patches necessitate proactive mitigation. The impact is heightened in sectors with stringent payment security requirements and high transaction volumes common in European markets.

1. Immediately audit and restrict user privileges within WordPress to the minimum necessary, especially for roles that interact with the Direct Payments WP plugin. 2. Review and harden access control configurations in the plugin settings and WordPress user roles to ensure no unauthorized access paths exist. 3. Monitor logs for unusual payment-related activities or unauthorized access attempts to detect exploitation early. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin endpoints. 5. Stay alert for official patches or updates from Digages and apply them promptly once released. 6. Consider temporarily disabling or replacing the plugin with a more secure alternative if critical payment operations are at risk and no patch is available. 7. Conduct penetration testing focused on authorization controls around payment processing workflows to identify other potential weaknesses. 8. Educate administrators and developers about the importance of strict authorization checks in payment plugins and custom code.