Description
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.
Published: 2026-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated manipulation of payment status leading to fraudulent order fulfillment
Action: Apply Patch
AI Analysis

Impact

The plugin contains a flaw where the callback handler calculates a local cryptographic signature but fails to verify the Ds_Signature provided in the request. This allows an attacker who can guess a valid order key and amount to forge callback data that marks a pending order as paid, potentially enabling the completion of checkout and delivery of products or services without a legitimate payment. The weakness is a classic cryptographic signature verification failure (CWE-347).

Affected Systems

WordPress sites using the Payment Gateway for Redsys & WooCommerce Lite plugin in any version up to and including 7.0.0 are affected. Users of older WordPress installations that employ this plugin should check their installed version; any deployment using 7.0.0 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. An EPSS score is not available, so the likelihood of exploitation cannot be quantified here. The attack can be performed remotely by sending a crafted HTTP request to the payment callback endpoint; no authentication is required. The vulnerability is not listed in the CISA KEV catalog, but its impact on financial transactions makes it a priority for remediation. Without proper cryptographic signature validation, attackers can impersonate the payment gateway’s response to the e‑commerce platform, turning unpaid orders into paid ones.

Generated by OpenCVE AI on April 16, 2026 at 08:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Payment Gateway for Redsys & WooCommerce Lite plugin to the latest version, which removes the signature verification flaw.
  • Implement or enable strict signature verification on the payment callback handling code to ensure the Ds_Signature matches the expected value before accepting the order status.
  • Restrict access to the payment callback endpoint to known IP ranges or require additional authentication tokens to reduce the surface for unauthenticated manipulation.

Generated by OpenCVE AI on April 16, 2026 at 08:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Jconti
Jconti payment Gateway For Redsys & Woocommerce Lite
Wordpress
Wordpress wordpress
Vendors & Products Jconti
Jconti payment Gateway For Redsys & Woocommerce Lite
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.
Title Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Jconti Payment Gateway For Redsys & Woocommerce Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T13:42:20.364Z

Reserved: 2026-03-27T16:53:47.167Z

Link: CVE-2026-5050

cve-icon Vulnrichment

Updated: 2026-04-16T13:29:24.582Z

cve-icon NVD

Status : Received

Published: 2026-04-16T06:16:20.587

Modified: 2026-04-16T06:16:20.587

Link: CVE-2026-5050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:11:48Z

Weaknesses