WooCommerce向けの「Visa決済プラグイン」に、メールアドレスを指定するだけで任意のユーザーになりすましてログインできる認証回避の脆弱性

Subject: [Action Required] Critical Authentication Bypass in WooCommerce Visa Payment Plugin

Hi all,

This is a security advisory regarding a critical vulnerability identified in the WooCommerce payment plugin provided by Visa Acceptance Solutions.

■ Overview
A severe authentication bypass vulnerability (CVE-2026-3461) has been discovered. An attacker can log in as any existing user, including administrators, simply by specifying their email address, without requiring a password or one-time token. This could lead to a complete site takeover. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical).

■ Scope
- Environments utilizing the Visa Acceptance Solutions payment plugin for WooCommerce.

■ Mitigation Steps
1. Verify if the affected plugin is currently installed and active.
2. Since no official patch is available, immediately disable and remove the plugin.
3. Evaluate and migrate to an alternative payment software solution.

■ Reference
- WordPress.org Plugin Directory (Currently suspended)
- CVE-2026-3461

Priority: High (Prompt action is strongly recommended)