Vulnerability Summary: CVE-2026-1710 Vulnerability Overview CVE ID: CVE-2026-1710 Vulnerability Name: WooPayments – Unauthenticated Checkout UI Cache Poisoning/DOS via Public save_upe_appearance AJAX Endpoint Description: This vulnerability exists within the WooPayments plugin, manifesting as an unauthenticated cache poisoning and Denial of Service (DoS) flaw. The core issue lies in a public AJAX endpoint that allows any visitor to submit attacker-controlled Stripe Elements appearance configurations. The plugin stores this data in a shared transient, which is subsequently consumed by all shoppers. This transforms a single anonymous request into a persistent, site-wide checkout manipulation lasting up to one day. This is particularly critical for websites relying on card payments as their primary revenue source, as it prevents legitimate customers from completing checkout while appearing as a normal checkout frontend. Scope of Impact Affected Plugin: WooPayments Affected Versions: <= 10.5.1 Active Installations: 900,000+ Exploitation Conditions: Unauthenticated access via the public AJAX endpoint . Publication Date: March 30, 2026 Remediation 1. Enforce Authorization: Public endpoints must not write to global appearance configurations. Handlers should be restricted to administrators or store managers. 2. Validate Nonce: Nonce validation is mandatory; the Nonce must not be used solely as a gating mechanism. 3. Change Storage Model: If the appearance is intended for visitors or sessions, it should be stored in client-side or session-scoped storage, not in a global transient. If configured by an administrator, it should be stored in options and only updatable by privileged users. 4. Input Validation: Appearance JSON must undergo schema validation; requests should be rejected unless they match the expected type. 5. Limit Write Operations: Implement rate limiting to prevent abuse. 6. Monitoring: Monitor for anomalous values when updating appearances. POC Code