216.73.217.172

CVE-2026-0656

· Published 07/01/2026 12:17 · Modified 08/01/2026 18:08

Labels: CVE-2026-0656 2026-01-07CVE-2026-0656CWE-862[email protected]

Essential information

Published
07/01/2026 12:17
Modified
08/01/2026 18:08
Author
Creator
CVSS
8.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS metrics

Description

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
ipaymu / payment gateway for woocommerce cpe:2.3:a:ipaymu:payment_gateway_for_woocommerce:*:*:*:*:*:wordpress:*:*

References