Skip to main content

Woocommerce Stripe Payment Gateway

1 CVEs product

Monthly

CVE-2026-2381 MEDIUM This Month

Unauthenticated order sabotage in WooCommerce Stripe Payment Gateway (all versions ≤10.7.0) allows any remote attacker to force pending WooCommerce orders into a 'failed' state without owning or authenticating against those orders. The root cause is a missing authorization check on the `ajax_pay_for_order()` function: the only gate is a nonce that is publicly available on any page where Express Checkout is enabled, providing no actual access control. Exploitation is trivially automatable via sequential order ID enumeration, enabling targeted disruption of an entire store's pending transactions. No public exploit has been identified at time of analysis, and no KEV listing exists, but the attack complexity is effectively zero for stores with Express Checkout active.

Authentication Bypass WordPress Woocommerce Stripe Payment Gateway
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated order sabotage in WooCommerce Stripe Payment Gateway (all versions ≤10.7.0) allows any remote attacker to force pending WooCommerce orders into a 'failed' state without owning or authenticating against those orders. The root cause is a missing authorization check on the `ajax_pay_for_order()` function: the only gate is a nonce that is publicly available on any page where Express Checkout is enabled, providing no actual access control. Exploitation is trivially automatable via sequential order ID enumeration, enabling targeted disruption of an entire store's pending transactions. No public exploit has been identified at time of analysis, and no KEV listing exists, but the attack complexity is effectively zero for stores with Express Checkout active.

Authentication Bypass WordPress Woocommerce Stripe Payment Gateway
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy