The Eupago Gateway for WooCommerce plugin prior to version 4.7.2 fails to restrict access to its refund request handler, allowing an attacker without authentication to initiate refunds against any WooCommerce order using the merchant’s payment gateway credentials. For payment methods that support it, the attacker can redirect the refunded funds to an account they control, resulting in direct financial loss to the merchant. This flaw enables an attacker to modify the transaction state and move money without the merchant’s approval, thereby compromising the integrity and confidentiality of the financial data.

Any WordPress site using the Eupago Gateway for WooCommerce plugin with a version older than 4.7.2 is vulnerable. The plugin is typically installed on WooCommerce‑powered e‑commerce sites, and attackers can exploit the flaw via the exposed refund endpoint provided by the plugin.

The vulnerability is exploitable by unauthenticated HTTP requests to the refund endpoint, so no privileged credentials are required. The EPSS score is 0.00044 (0.044%), indicating a very low exploitation probability, and the vulnerability is not yet listed in the CISA KEV catalog. The absence of authentication combined with the potential for financial loss indicates a high risk overall. The CVSS score of 8.6 underscores its high severity. Attackers can manually trigger the flaw by sending a crafted request to the plugin’s refund URL, making exploitation straightforward for anyone with network access to the website.