Skip to main content

STRABL WordPress Plugin EUVDEUVD-2026-37995

| CVE-2026-3640 MEDIUM
Missing Authorization (CWE-862)
2026-06-19 Wordfence GHSA-v9cf-wxpg-292v
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
7.5 HIGH

I:H reflects full order fraud, refund abuse, account creation, and order cancellation - systemic integrity loss beyond partial data modification.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 08:31 vuln.today
CVE Published
Jun 19, 2026 - 06:51 nvd
MEDIUM 5.3

DescriptionCVE.org

The STRABL - A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees - all without making a legitimate payment or having any valid credentials.

AnalysisAI

Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with STRABL plugin
Delivery
Send unauthenticated POST to /wp-json/strabl/webhook/order
Exploit
Supply paymentStatus=paid with attacker-controlled order data
Execution
WooCommerce records fraudulent completed order
Impact
Attacker claims goods or services without payment

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the STRABL plugin being installed and active on a WordPress/WooCommerce site accessible over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.3 (Medium) reflects only I:L, which understates the business impact: the ability to create fraudulent paid orders, register user accounts, issue refunds, and cancel orders represents a systemic integrity failure of the entire payment and order workflow. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a WooCommerce store running STRABL by scanning for the /wp-json/strabl/webhook/order endpoint (e.g., via Shodan or automated WordPress fingerprinting). The attacker sends a crafted POST request containing paymentStatus=paid and a self-generated order payload, causing WooCommerce to record a fully paid, completed order - allowing physical or digital goods to be dispatched without any payment. …
Remediation A WordPress plugin repository changeset (changeset 3558301 at plugins.trac.wordpress.org/changeset/3558301) has been committed, representing an upstream code fix; however, a confirmed patched release version has not been independently verified from available data - administrators should check the WordPress plugin directory for a version newer than 4.5 and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy