Skip to main content

IDPay Payment Gateway EUVDEUVD-2026-36918

| CVE-2026-34891 HIGH
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-15 Patchstack GHSA-x4qm-q8p4-wm7w
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable endpoint discloses sensitive data with no user interaction; only confidentiality is impacted, so I:N and A:N, matching the disclosed vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:37 vuln.today
CVE Published
Jun 15, 2026 - 20:17 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the IDPay Payment Gateway for WooCommerce WordPress plugin (versions ≤ 2.2.5) allows remote attackers to retrieve confidential information without credentials or user interaction over the network. The flaw was reported by Patchstack and tracked as EUVD-2026-36918; no public exploit identified at time of analysis. With a CVSS 7.5 (high) score driven entirely by confidentiality impact, the issue is significant for any WooCommerce site processing payments through this Iranian payment gateway integration.

Technical ContextAI

The affected component is the IDPay Payment Gateway for WooCommerce plugin (CPE cpe:2.3:a:idpay:idpay_payment_gateway_for_woocommerce), a third-party WordPress/WooCommerce extension that bridges the e-commerce platform to the IDPay payment processor. The root cause is mapped to CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), which typically arises when a plugin exposes configuration data, API credentials, transaction details, or debug information through endpoints or files that should be restricted. In WordPress plugins, this class of flaw commonly manifests as unauthenticated AJAX actions, REST routes, or log/debug files that leak data the application reasonably expected to keep internal.

RemediationAI

Patch available per vendor advisory: upgrade the IDPay Payment Gateway for WooCommerce plugin to a version newer than 2.2.5 as published on the WordPress plugin repository, consulting the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/woo-idpay-gateway/vulnerability/wordpress-idpay-payment-gateway-for-woocommerce-plugin-2-2-5-sensitive-data-exposure-vulnerability) for the exact fixed release number, since no specific fix version is included in the supplied intelligence. If immediate patching is not possible, compensating controls include deactivating the IDPay plugin (which will disable IDPay as a payment method and break any in-flight IDPay transactions), restricting access to the plugin's endpoints and any related AJAX/REST routes via a WAF rule or web server allowlist (which may break legitimate checkout flows for IDPay customers if rules are too broad), and rotating any IDPay merchant API credentials after patching in case they were already exposed. Monitor web server access logs for unusual requests to plugin paths under /wp-content/plugins/woo-idpay-gateway/ and to WooCommerce/WordPress AJAX/REST endpoints referencing IDPay.

Share

EUVD-2026-36918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy