CVE-2026-0656
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2Tags
Description
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
Analysis
Unauthenticated attackers can manipulate WooCommerce orders and expose customer data in the iPaymu Payment Gateway for WooCommerce plugin (versions up to 2.0.2) due to missing webhook signature verification. An attacker can forge payment confirmations to mark orders as paid without actual payment and enumerate order details to harvest PII including customer names, addresses, and purchase history. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems running for WordPress is vulnerable to Missing Authentication in all and apply vendor patches promptly. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today