Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable endpoint discloses sensitive data with no user interaction; only confidentiality is impacted, so I:N and A:N, matching the disclosed vector.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the IDPay Payment Gateway for WooCommerce WordPress plugin (versions ≤ 2.2.5) allows remote attackers to retrieve confidential information without credentials or user interaction over the network. The flaw was reported by Patchstack and tracked as EUVD-2026-36918; no public exploit identified at time of analysis. With a CVSS 7.5 (high) score driven entirely by confidentiality impact, the issue is significant for any WooCommerce site processing payments through this Iranian payment gateway integration.
Technical ContextAI
The affected component is the IDPay Payment Gateway for WooCommerce plugin (CPE cpe:2.3:a:idpay:idpay_payment_gateway_for_woocommerce), a third-party WordPress/WooCommerce extension that bridges the e-commerce platform to the IDPay payment processor. The root cause is mapped to CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), which typically arises when a plugin exposes configuration data, API credentials, transaction details, or debug information through endpoints or files that should be restricted. In WordPress plugins, this class of flaw commonly manifests as unauthenticated AJAX actions, REST routes, or log/debug files that leak data the application reasonably expected to keep internal.
RemediationAI
Patch available per vendor advisory: upgrade the IDPay Payment Gateway for WooCommerce plugin to a version newer than 2.2.5 as published on the WordPress plugin repository, consulting the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/woo-idpay-gateway/vulnerability/wordpress-idpay-payment-gateway-for-woocommerce-plugin-2-2-5-sensitive-data-exposure-vulnerability) for the exact fixed release number, since no specific fix version is included in the supplied intelligence. If immediate patching is not possible, compensating controls include deactivating the IDPay plugin (which will disable IDPay as a payment method and break any in-flight IDPay transactions), restricting access to the plugin's endpoints and any related AJAX/REST routes via a WAF rule or web server allowlist (which may break legitimate checkout flows for IDPay customers if rules are too broad), and rotating any IDPay merchant API credentials after patching in case they were already exposed. Monitor web server access logs for unusual requests to plugin paths under /wp-content/plugins/woo-idpay-gateway/ and to WooCommerce/WordPress AJAX/REST endpoints referencing IDPay.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36918
GHSA-x4qm-q8p4-wm7w