The Fortis for WooCommerce WordPress plugin contains an authorization bypass vulnerability due to an inverted nonce check in the check_fortis_notify_response function. This flaw permits unauthenticated attackers to modify WooCommerce order states, allowing them to set arbitrary orders to paid, processing, or completed without actually providing payment. As a result, attackers can fraudulently clear orders, causing financial loss and eroding trust in the e-commerce system. This weakness is classified as CWE-862: Missing Authorization.

Affected installations are any sites running Fortis for WooCommerce version 1.2.0 or earlier, which is the last version containing the vulnerable code. The vendor, Fortispay, distributed the plugin through the WordPress plugin repository, and the flaw spans all releases up to and including 1.2.0. Site owners should verify the plugin version and upgrade accordingly.

The vulnerability has a CVSS score of 5.3, indicating moderate severity, while the EPSS score of less than 1% suggests a low exploitation likelihood at present. Because the flaw can be triggered by unauthenticated HTTP requests to the wc-api endpoint, attackers need only make a crafted request containing an order ID; no authentication or special privileges are required. The issue is not listed in CISA’s KEV catalog, implying no confirmed exploitation reports yet, but the risk remains high for sites that expose the endpoint to the public internet.