Description
Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Payment Gateway Based Fees and Discounts for WooCommerce plugin suffers from an unauthenticated insecure direct object reference (IDOR) flaw that permits attackers to access and potentially modify the configuration of payment gateway fees and discounts. Because the plugin fails to enforce proper authorization checks on requests that identify fee/discount objects, an attacker can alter the rules that affect transaction amounts, potentially injecting unapproved fees or discounts.

Affected Systems

WordPress sites running the Payment Gateway Based Fees and Discounts for WooCommerce plugin from Tyche Softwares, versions 3.0.0 and older are vulnerable. The plugin is commonly used in WooCommerce shops to calculate gateway‑specific fees, so any site with an out‑of‑date installation is at risk.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. The flaw can be exploited by sending crafted HTTP requests containing the identifiers of fee/discount objects. Because the vulnerability is unauthenticated, an attacker with internet access can induce changes to financial transaction rules without legitimate credentials.

Generated by OpenCVE AI on June 26, 2026 at 17:16 UTC.

Remediation

Vendor Solution

Update the WordPress Payment Gateway Based Fees and Discounts for WooCommerce Plugin to the latest available version (at least 3.1.0).

OpenCVE Recommended Actions

  • Update Payment Gateway Based Fees and Discounts for WooCommerce to version 3.1.0 or newer.
  • Ensure that only authenticated administrators can view or modify fee and discount settings by applying strict role‑based access controls.
  • Validate all input parameters for fee and discount values and enforce authorization checks before processing any changes.

Generated by OpenCVE AI on June 26, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions.
Title WordPress Payment Gateway Based Fees and Discounts for WooCommerce plugin <= 3.0.0 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:52:44.766Z

Reserved: 2026-06-18T14:37:51.351Z

Link: CVE-2026-56048

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key