CVE-2026-1710 is an improper authorization vulnerability classified under CWE-285 found in the WooPayments: Integrated WooCommerce Payments plugin for WordPress. The vulnerability exists due to the absence of a capability check in the 'save_upe_appearance_ajax' function, which is responsible for saving certain plugin appearance settings via AJAX requests. This missing authorization check allows unauthenticated attackers to invoke this function and modify plugin settings without any privileges. Since WooPayments handles payment processing configurations, unauthorized changes could disrupt payment workflows or introduce malicious configurations. The vulnerability affects all versions up to and including 10.5.1. The CVSS 3.1 base score is 6.5, indicating a medium severity with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). No public exploits are known at this time, but the ease of exploitation and unauthenticated access make it a significant risk for WooCommerce sites using this plugin. The vulnerability was reserved on 2026-01-30 and published on 2026-03-31. No patches are currently linked, so mitigation relies on monitoring and restricting access until updates are released.

The primary impact of this vulnerability is unauthorized modification of WooPayments plugin settings, which can compromise the integrity and availability of payment processing configurations. Attackers could alter payment appearance or behavior, potentially disrupting transactions or causing denial of service conditions for e-commerce operations. Although confidentiality is not directly affected, the integrity and availability impacts can lead to financial losses, customer trust erosion, and operational downtime. Since exploitation requires no authentication or user interaction and can be performed remotely over the network, the attack surface is broad. Organizations running WooCommerce with WooPayments are at risk, especially those with high transaction volumes or critical dependency on uninterrupted payment processing. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details are public. The medium severity rating reflects these considerations.

1. Monitor official WooCommerce and WooPayments channels closely for security patches addressing CVE-2026-1710 and apply updates immediately upon release. 2. Until patches are available, restrict access to the WordPress admin AJAX endpoint (admin-ajax.php) using web application firewalls (WAFs) or server-level access controls to limit exposure to unauthenticated requests. 3. Implement strict IP whitelisting or rate limiting on AJAX endpoints to reduce attack surface. 4. Regularly audit WooPayments plugin settings and logs for unauthorized changes or suspicious activity. 5. Harden WordPress installations by disabling unnecessary plugins and enforcing least privilege principles for all users. 6. Employ intrusion detection systems (IDS) to alert on anomalous requests targeting the vulnerable function. 7. Educate site administrators about the vulnerability and encourage vigilance until patches are deployed. 8. Consider temporary disabling or replacing WooPayments if critical risk is unacceptable and no patch is available.