Corvuspay Woocommerce Payment Gateway
Monthly
Stored cross-site scripting in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (all versions through 2.7.4) lets unauthenticated attackers persist arbitrary JavaScript through the 'approval_code' parameter. The plugin exposes the REST route POST /wp-json/corvuspay/success/ with permission_callback set to __return_true, and its signature check only logs failures instead of blocking execution, so an attacker with any bogus signature can write a malicious approval_code into the order record, which then executes when a store operator or user views the affected page. Reported by Wordfence; no public exploit identified at time of analysis and no EPSS or KEV data provided.
Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) allows any remote attacker to cancel any WooCommerce order paid via CorvusPay by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST API endpoint. The plugin registers this cancel endpoint without implementing a WordPress permission callback, meaning no authorization is verified before processing cancellation requests (CWE-862). No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis, though the attack requires no credentials and minimal technical skill.
Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.
Stored cross-site scripting in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (all versions through 2.7.4) lets unauthenticated attackers persist arbitrary JavaScript through the 'approval_code' parameter. The plugin exposes the REST route POST /wp-json/corvuspay/success/ with permission_callback set to __return_true, and its signature check only logs failures instead of blocking execution, so an attacker with any bogus signature can write a malicious approval_code into the order record, which then executes when a store operator or user views the affected page. Reported by Wordfence; no public exploit identified at time of analysis and no EPSS or KEV data provided.
Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) allows any remote attacker to cancel any WooCommerce order paid via CorvusPay by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST API endpoint. The plugin registers this cancel endpoint without implementing a WordPress permission callback, meaning no authorization is verified before processing cancellation requests (CWE-862). No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis, though the attack requires no credentials and minimal technical skill.
Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.