Skip to main content

Jwt Attack CVE-2026-5050

| EUVDEUVD-2026-23194 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-04-16 Wordfence GHSA-6pcx-jf98-3w2h
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 06:37 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 06:00 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 05:45 euvd
EUVD-2026-23194
Analysis Generated
Apr 16, 2026 - 05:45 vuln.today
CVE Published
Apr 16, 2026 - 05:29 nvd
HIGH 7.5

DescriptionCVE.org

The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.

AnalysisAI

Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.

Technical ContextAI

The vulnerability exists in the successful_request() handlers of the Payment Gateway for Redsys & WooCommerce Lite plugin (jconti vendor), affecting payment processing for Redsys, Bizum, and Google Pay gateway integrations. The plugin computes a local HMAC signature to validate payment callbacks but fails to compare this against the Ds_Signature parameter supplied in the incoming request from the payment processor. This represents CWE-347 (Improper Verification of Cryptographic Signature), a critical authentication bypass class. In properly implemented cryptographic signature schemes, the server must receive a signed payload from the payment gateway, recompute the expected signature using a shared secret, and verify it matches the received signature before trusting the payment status. The plugin performs the computation but skips the comparison step, allowing attackers to craft arbitrary payment callback data that the plugin accepts as legitimate. The vulnerability spans multiple payment method implementations (Redsys, Bizum, Google Pay), indicating a systemic validation gap rather than a single-gateway issue.

RemediationAI

Immediately upgrade to the patched version of Payment Gateway for Redsys & WooCommerce Lite. The fix is available in WordPress plugin repository changeset 3501998, viewable at https://plugins.trac.wordpress.org/changeset/3501998/woo-redsys-gateway-light (corresponds to version 7.0.1 or later - verify exact release version in plugin changelog). The patch implements proper Ds_Signature validation against computed local signatures before accepting payment status updates. For sites unable to immediately upgrade, implement compensating controls: manually verify all completed orders against actual payment processor transaction logs before fulfillment (labor-intensive but prevents fraud), restrict network access to payment callback endpoints to known payment gateway IP ranges if provider publishes them (Redsys documentation should list authorized source IPs), implement additional order review workflows flagging orders marked paid within suspicious timeframes or matching reconnaissance patterns. Note that IP restrictions may break legitimate callbacks if gateway infrastructure changes. Temporarily disabling the plugin stops new fraudulent orders but halts all legitimate payment processing - only viable for non-production sites. Review existing order history for anomalies: orders marked paid without corresponding gateway transaction records, multiple orders from same customer with sequential order keys, or fulfillment preceding payment timestamp gaps.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-5050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy