GHSA-rv89-wch8-c574

Source

https://github.com/advisories/GHSA-rv89-wch8-c574

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-rv89-wch8-c574/GHSA-rv89-wch8-c574.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rv89-wch8-c574

Aliases

CVE-2026-44584

Published

2026-06-22T20:29:41Z

Modified

2026-06-22T20:45:08.109311132Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Paymenter doesn't reset email verification status after email change

Details

Summary

The email update functionality fails to invalidate the existing verification state when a user changes their email address, allowing a verified account to retain its verified status after switching to an unverified or unowned email address.

Technical Details

When a user updated their email address, the system did not reset or revalidate the associated email verification status. As a result, the verification column remained set to “true” even after the email address was changed.

This allowed an attacker to:

Verify an account using a legitimate email address
Change the account email to an arbitrary or unowned address
Retain the verified status without re-confirmation of the new email

No verification challenge or confirmation was required for the newly assigned email address.

Impact

This vulnerability allows a user to associate a verified account with an email address they do not control, this may result in:

Misrepresentation of email ownership
Bypass of verification-based trust assumptions
Potential abuse of features gated behind verified status

No direct unauthorized access to other users accounts or data is possible through this issue alone.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T20:29:41Z",
    "nvd_published_at": null
}

References

Affected packages

Packagist / paymenter/paymenter

Package

Name: paymenter/paymenter
Purl: pkg:composer/paymenter%2Fpaymenter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.0

Affected versions

0.*

0.1

0.1.1

0.1.2

0.1.3

0.2

0.2.1

v0.*

v0.3

v0.4

v0.4.1

v0.5

v0.5.1

v0.5.2

v0.5.3

v0.6

v0.7

v0.7.1

v0.8

v0.8.1

v0.8.2

v0.9

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.5

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.1.0

v1.1.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-rv89-wch8-c574/GHSA-rv89-wch8-c574.json"