关键信息 描述 漏洞标题:OpenPix <= 2.13.3 - Subscriber+ Payment Gateway Settings Reset 描述:该插件允许任何认证用户触发AJAX操作,重置支付网关配置选项,而无需能力或nonce检查。这允许任何认证用户,如订阅者,清除API凭证和webhook状态,导致OpenPix支付功能的持续中断。 影响版本 OpenPix <= 2.13.3 参考资料 CVE编号:CVE-2025-15400 分类 类型:NO AUTHORISATION OWASP top 10:A5: Broken Access Control CWE:CWE-862 CVSS:6.5 (medium) 其他信息 原研究人员:Md. Moniruzzaman Prodhan (NomanProdhan) 提交者网站:https://nomanprodhan.com 提交者推特:NomanProdhan 验证:Yes WPVDB ID:54c1251f-96be-4d70-b773-3db26b599838 时间线 公开发布:2026-01-20 添加日期:2026-01-13 最后更新:2026-01-13 相关漏洞 Comments Extra Fields For Post,Pages and CPT < 5.1 - Missing Authorization Points and Rewards for WooCommerce < 2.9.6 - Missing Authorization Publitio < 2.1.9 - Missing Authorization Hellowprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification WPLMS < 1.9.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update