Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
I:H reflects full order fraud, refund abuse, account creation, and order cancellation - systemic integrity loss beyond partial data modification.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The STRABL - A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees - all without making a legitimate payment or having any valid credentials.
AnalysisAI
Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond the STRABL plugin being installed and active on a WordPress/WooCommerce site accessible over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 5.3 (Medium) reflects only I:L, which understates the business impact: the ability to create fraudulent paid orders, register user accounts, issue refunds, and cancel orders represents a systemic integrity failure of the entire payment and order workflow. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a WooCommerce store running STRABL by scanning for the /wp-json/strabl/webhook/order endpoint (e.g., via Shodan or automated WordPress fingerprinting). The attacker sends a crafted POST request containing paymentStatus=paid and a self-generated order payload, causing WooCommerce to record a fully paid, completed order - allowing physical or digital goods to be dispatched without any payment. … |
| Remediation | A WordPress plugin repository changeset (changeset 3558301 at plugins.trac.wordpress.org/changeset/3558301) has been committed, representing an upstream code fix; however, a confirmed patched release version has not been independently verified from available data - administrators should check the WordPress plugin directory for a version newer than 4.5 and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37995
GHSA-v9cf-wxpg-292v