Description
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
Published: 2026-01-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized manipulation of order payment status and disclosure of customer personal information.
Action: Immediate Patch
AI Analysis

Impact

The iPaymu Payment Gateway for WooCommerce plugin contains a missing authentication flaw in its 'check_ipaymu_response' function. An attacker can send crafted POST requests to the webhook endpoint without authenticating, causing the plugin to accept the request and prematurely mark a WooCommerce order as paid. Additionally, a simple GET request can enumerate order IDs and expose order keys, revealing personally identifiable information such as customer names, addresses, and purchased products. The weakness corresponds to CWE-862 (Missing Authorization).

Affected Systems

This vulnerability affects the iPaymu Payment Gateway for WooCommerce WordPress plugin for all releases up to and including version 2.0.2. Any site using this plugin version is potentially compromised.

Risk and Exploitability

The CVSS score of 8.2 denotes a high severity vulnerability; the EPSS score is below 1 %, indicating a low likelihood of exploitation in the wild, and the issue is not tracked in the CISA KEV catalog. It is likely that the attack can be conducted over HTTP to the exposed webhook endpoint due to the missing authentication checks, but this direction is inferred from the plugin design and not explicitly stated in the advisory. An unauthenticated attacker only needs to send crafted POST requests to the webhook URL and craft enumeration GET queries, making the attack vector web-based and straightforward.

Generated by OpenCVE AI on April 16, 2026 at 02:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iPaymu Payment Gateway for WooCommerce plugin to the latest available release (greater than 2.0.2), which restores proper authentication checks for webhook processing.
  • If an upgrade cannot be performed immediately, block or remove the webhook endpoint from public access and enforce a shared secret or signature validation to ensure only legitimate requests are processed.
  • Implement additional WordPress security best practices: enforce HTTPS, restrict API access to trusted IP ranges, and monitor server logs for anomalous webhook traffic.

Generated by OpenCVE AI on April 16, 2026 at 02:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ipaymu
Ipaymu payment Gateway For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Ipaymu
Ipaymu payment Gateway For Woocommerce
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
Title iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Ipaymu Payment Gateway For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:07.165Z

Reserved: 2026-01-06T18:32:43.133Z

Link: CVE-2026-0656

cve-icon Vulnrichment

Updated: 2026-01-07T14:51:30.248Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:17:07.867

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:15:21Z

Weaknesses