EUVD-2026-23194
GHSA-6pcx-jf98-3w2h
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionNVD
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.
AnalysisAI
Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all WooCommerce installations using 'Payment Gateway for Redsys & WooCommerce Lite' plugin and document current versions via admin dashboard or security audit tool. Within 7 days: Update all instances to version 7.0.1 or later per vendor changeset 3501998; verify update completion across all sites. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today