Skip to main content

Eupago Gateway for WooCommerce CVE-2026-7862

| EUVD-2026-32727 HIGH
Improper Access Control (CWE-284)
2026-05-28 WPScan GHSA-fppg-vjhw-hp4m
WordPress Authentication Bypass
8.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

5
Analysis Generated
May 28, 2026 - 12:22 vuln.today
CVSS changed
May 28, 2026 - 12:22 NVD
8.6 (HIGH)
Patch available
May 28, 2026 - 09:01 EUVD
CVE Published
May 28, 2026 - 06:00 nvd
HIGH 8.6
CVE Published
May 28, 2026 - 06:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.

AnalysisAI

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV.

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Immediately update Eupago Gateway for WooCommerce to version 4.7.2 or later; if immediate patching is not possible, disable the plugin and switch to an alternative payment processor. Within 7 days: Verify all instances of the plugin across the organization are patched, audit refund transaction logs from the vulnerability discovery date backward for suspicious or unauthorized refunds, and cross-check refund destinations against approved merchant accounts. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-8760 CRITICAL
9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
CVE-2026-42727 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
CVE-2026-42761 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH
8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

CVE-2026-8787 HIGH
8.8 May 27

Privilege escalation in the Firebase Support & Chat Management WordPress plugin (all versions up to and including 3.1.1)

Share

CVE-2026-7862 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy