CVE-2026-1305
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Tags
Description
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" without actual payment via a crafted POST request to the Paidy webhook endpoint.
Analysis
The Japanized for WooCommerce plugin through version 2.8.4 fails to properly validate webhook signatures, allowing unauthenticated attackers to bypass payment authentication and fraudulently update order statuses to "Processing" or "Completed" without actual payment. An attacker can exploit this by omitting the signature header in POST requests to the Paidy webhook endpoint, resulting in the permission check unconditionally returning true. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Improper Authentication in and apply vendor patches as part of regular patch cycle. Audit authentication configurations.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today