Description
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery (SSRF) enabling unauthorized network requests
Action: Patch Now
AI Analysis

Impact

Server‑Side Request Forgery (SSRF) allows an attacker to instruct the vulnerable Global Payments WooCommerce plugin to issue HTTP requests to arbitrary URLs, potentially accessing internal services or external sites without proper authorization, which could lead to data exposure or further exploitation. This weakness, classified as CWE‑918, originates from insufficient validation of user‑supplied URLs used by the plugin.

Affected Systems

The vulnerability affects installations of the Global Payments WooCommerce plugin version 1.18.0 and earlier on WordPress sites, a commonly deployed payment integration for WooCommerce stores.

Risk and Exploitability

With a CVSS score of 5.4, the issue carries moderate severity, while an EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to provide a crafted URL to the plugin, potentially via a site visitor's request or a specially crafted API call, to trigger the SSRF. Although exploitation is unlikely, administrators should still consider patching to prevent potential access to internal networks.

Generated by OpenCVE AI on April 13, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Global Payments WooCommerce plugin to the latest version (1.18.1 or newer).
  • If an immediate update is not possible, limit or block outbound HTTP requests initiated by WordPress using firewall rules or host‑based controls.
  • Consider disabling the plugin until a patch is applied.
  • Monitor web server logs for abnormal outbound traffic patterns that may indicate SSRF attempts.

Generated by OpenCVE AI on April 13, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Global Payments
Global Payments globalpayments Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Global Payments
Global Payments globalpayments Woocommerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.
Title WordPress GlobalPayments WooCommerce plugin <= 1.18.0 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Global Payments Globalpayments Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.130Z

Reserved: 2026-04-07T10:57:48.107Z

Link: CVE-2026-39645

cve-icon Vulnrichment

Updated: 2026-04-13T20:26:02.863Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:35.340

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:54Z

Weaknesses