The WooPayments plugin for WordPress suffers from an improper authorization vulnerability (CWE-285) due to the absence of a capability check in the 'save_upe_appearance_ajax' function. This allows unauthenticated attackers to update plugin settings, potentially disrupting payment configurations or plugin behavior. The vulnerability affects all versions up to 10.5.1. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, but low integrity and low availability impacts.

An attacker without authentication can modify WooPayments plugin settings, which may lead to altered payment processing behavior or denial of service conditions. The vulnerability does not expose confidential data but impacts the integrity and availability of the plugin's configuration. No known exploits are reported in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the WordPress admin interface and monitor for suspicious activity related to WooPayments settings. Avoid exposing administrative endpoints publicly where possible.