Yansongda

**Name of the Vulnerable Software and Affected Versions** Pay versions prior to 3.7.20 **Description** The `verify wechat sign()` function in `src/Functions.php` does not properly validate signatures when the `Host` header in a PSR-7 request is set to `localhost`. This allows an attacker to bypass the RSA signature check by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header. This can lead to the forging of fake WeChat Pay payment success notifications, potentially resulting in applications incorrectly marking orders as paid without actual payment. The vulnerable code is located in `src/Functions.php` lines 243-246. The function `verify wechat sign()` is vulnerable. The API endpoint affected is the WeChat Pay callback endpoint. The `Host` header is a vulnerable parameter. **Recommendations** Versions prior to 3.7.20 should be updated to version 3.7.20 or later.