Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.
AnalysisAI
Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.
Technical ContextAI
The vulnerability exists in the successful_request() handlers of the Payment Gateway for Redsys & WooCommerce Lite plugin (jconti vendor), affecting payment processing for Redsys, Bizum, and Google Pay gateway integrations. The plugin computes a local HMAC signature to validate payment callbacks but fails to compare this against the Ds_Signature parameter supplied in the incoming request from the payment processor. This represents CWE-347 (Improper Verification of Cryptographic Signature), a critical authentication bypass class. In properly implemented cryptographic signature schemes, the server must receive a signed payload from the payment gateway, recompute the expected signature using a shared secret, and verify it matches the received signature before trusting the payment status. The plugin performs the computation but skips the comparison step, allowing attackers to craft arbitrary payment callback data that the plugin accepts as legitimate. The vulnerability spans multiple payment method implementations (Redsys, Bizum, Google Pay), indicating a systemic validation gap rather than a single-gateway issue.
RemediationAI
Immediately upgrade to the patched version of Payment Gateway for Redsys & WooCommerce Lite. The fix is available in WordPress plugin repository changeset 3501998, viewable at https://plugins.trac.wordpress.org/changeset/3501998/woo-redsys-gateway-light (corresponds to version 7.0.1 or later - verify exact release version in plugin changelog). The patch implements proper Ds_Signature validation against computed local signatures before accepting payment status updates. For sites unable to immediately upgrade, implement compensating controls: manually verify all completed orders against actual payment processor transaction logs before fulfillment (labor-intensive but prevents fraud), restrict network access to payment callback endpoints to known payment gateway IP ranges if provider publishes them (Redsys documentation should list authorized source IPs), implement additional order review workflows flagging orders marked paid within suspicious timeframes or matching reconnaissance patterns. Note that IP restrictions may break legitimate callbacks if gateway infrastructure changes. Temporarily disabling the plugin stops new fraudulent orders but halts all legitimate payment processing - only viable for non-production sites. Review existing order history for anomalies: orders marked paid without corresponding gateway transaction records, multiple orders from same customer with sequential order keys, or fulfillment preceding payment timestamp gaps.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23194
GHSA-6pcx-jf98-3w2h