Shohei Tanaka

**Name of the Vulnerable Software and Affected Versions** Japanized for WooCommerce plugin for WordPress versions up to and including 2.8.4 **Description** The software is susceptible to a flaw in authentication. A flawed permission check in the `paidy webhook permission check` function returns `true` when the webhook signature header is missing. This allows unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" by sending a crafted POST request to the Paidy API endpoint. The vulnerable API endpoint is the Paidy webhook endpoint. The `paidy webhook permission check` function is involved in the issue. **Recommendations** Update Japanized for WooCommerce plugin for WordPress to a version later than 2.8.4.