Skip to main content

Strabl A Checkout Solution

1 CVEs product

Monthly

CVE-2026-3640 MEDIUM This Month

Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. No public exploit code or KEV listing is confirmed at time of analysis, but the vulnerability is trivially exploitable given the open endpoint and well-documented attack surface.

Authentication Bypass WordPress Strabl A Checkout Solution
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. No public exploit code or KEV listing is confirmed at time of analysis, but the vulnerability is trivially exploitable given the open endpoint and well-documented attack surface.

Authentication Bypass WordPress Strabl A Checkout Solution
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy