CVE-2025-57976: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-57976) was discovered in CardCom Payment Gateway affecting versions through 3.5.0.4. The vulnerability was disclosed on September 22, 2025, and allows exploiting incorrectly configured access control security levels (NVD).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 Base Score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue is categorized under CWE-862 (Missing Authorization) and represents a broken access control scenario where there is a missing authorization, authentication, or nonce token check that could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability has a low severity impact and allows unauthorized access to certain functions that should require higher privileges. While the specific impact varies case by case, it primarily affects the integrity of the system through potential unauthorized actions (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Given the low severity impact, virtual patching has been deemed unnecessary (Patchstack).

The vulnerability was initially reported by security researcher Bao - BlueRock on July 23, 2025, and an early warning was distributed to Patchstack customers on September 22, 2025, before public disclosure on September 24, 2025 (Patchstack).