Skip to main content

Redsys for WooCommerce Light CVE-2026-40741

| EUVDEUVD-2026-36973 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-785h-w333-7p44
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable missing-authorization flaw in a WordPress plugin endpoint; integrity-only impact on payment state, no disclosed confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:14 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions.

AnalysisAI

Broken access control in the Redsys for WooCommerce Light WordPress plugin (versions up to and including 7.0.0) allows remote unauthenticated attackers to invoke privileged functionality without proper authorization checks, leading to integrity impact on payment gateway operations. The flaw stems from missing authorization (CWE-862) on plugin endpoints, and at time of analysis no public exploit was identified, though the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) makes it trivially reachable. The vulnerability was reported by Patchstack and tracked as EUVD-2026-36973.

Technical ContextAI

Redsys for WooCommerce Light (slug woo-redsys-gateway-light, authored by Jose Conti per the CPE jose_conti:redsys_for_woocommerce_light) is a WordPress payment gateway plugin that integrates the Spanish Redsys card-payment platform into WooCommerce checkouts. CWE-862 (Missing Authorization) means an action handler - typically a WordPress AJAX endpoint, REST route, or admin-post hook - fails to verify the caller's capability or nonce before executing privileged logic. In payment-gateway plugins this class of bug commonly exposes order-state or transaction-handling functions (for example, marking an order as paid, retrieving transaction data, or altering gateway configuration) to anonymous HTTP callers.

RemediationAI

No vendor-released patch version is independently confirmed in the available data - the Patchstack advisory identifies 7.0.0 as the last vulnerable release but does not cite a specific fixed version in the input, so administrators should consult the Patchstack record at https://patchstack.com/database/wordpress/plugin/woo-redsys-gateway-light/vulnerability/wordpress-redsys-for-woocommerce-light-plugin-7-0-0-broken-access-control-vulnerability and the plugin's WordPress.org listing for an upgrade above 7.0.0 and apply it immediately. Until a confirmed patched release is installed, compensating controls include deactivating the woo-redsys-gateway-light plugin (this disables Redsys card payments on the store and will break checkout for that gateway), restricting access to wp-admin/admin-ajax.php and the plugin's REST routes via a Web Application Firewall rule that blocks unauthenticated requests to known plugin action names (risk: legitimate gateway callbacks from Redsys may also be filtered if rules are too broad, so allowlist the Redsys notification IP ranges), or temporarily switching WooCommerce to an alternative payment gateway. Patchstack mDVPN/vPatch subscribers receive a virtual patch via their firewall integration as a stopgap.

Share

CVE-2026-40741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy