Description
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated vulnerability exists in the IDPay Payment Gateway for WooCommerce plugin for WordPress versions 2.2.5 and earlier, allowing attackers to read confidential payment transaction data. The flaw originates from improper handling of sensitive information, identified as CWE‑497, and can result in the disclosure of user payment methods, transaction details, and potentially lead to financial fraud and loss.

Affected Systems

The affected product is the IDPay Payment Gateway for WooCommerce plugin for WordPress, for installations running version 2.2.5 or older. Site administrators should verify the plugin version and take action before proceeding with an update.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the EPSS score of <1% suggests a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is unauthenticated HTTP requests to exposed plugin endpoints, enabling attackers to retrieve sensitive payment data without user authentication. While exploitation is currently considered unlikely, the potential impact on confidentiality and financial integrity warrants prompt remediation.

Generated by OpenCVE AI on June 18, 2026 at 01:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the IDPay Payment Gateway for WooCommerce plugin to a version newer than 2.2.5.
  • Configure or block the plugin’s data‑exposure endpoints so that only authenticated and authorized users can access them.
  • If an upgrade cannot be performed immediately, apply web‑application firewall rules or access restrictions to block unauthenticated requests to the sensitive URLs exposed by the plugin.

Generated by OpenCVE AI on June 18, 2026 at 01:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Hitpay
Hitpay payment Gateway For Woocommerce
Idpay
Idpay payment Gateway For Woocommerce
Vendors & Products Hitpay
Hitpay payment Gateway For Woocommerce
Idpay
Idpay payment Gateway For Woocommerce

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
Title WordPress IDPay Payment Gateway for Woocommerce plugin <= 2.2.5 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Hitpay Payment Gateway For Woocommerce
Idpay Payment Gateway For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:53:28.266Z

Reserved: 2026-03-31T09:57:17.719Z

Link: CVE-2026-34891

cve-icon Vulnrichment

Updated: 2026-06-16T14:53:23.831Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:41.737

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-34891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:42Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere