PT-2026-56786 · Corvusinfo · Corvuspay Woocommerce Payment Gateway

Valatty

·

Publicado

2026-07-09

·

Atualizado

2026-07-09

·

CVE-2026-9027

CVSS v3.1

5.3

Média

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The corvuspay success handler function registers the REST endpoint POST /wp-json/corvuspay/success/ with 'permission callback' => ' return true', and while it calls $this->client->validate->signature() and stores the boolean result in $res, the result is never evaluated in a conditional — it is only written to the debug log — causing execution to unconditionally reach $order->payment complete() regardless of whether the cryptographic signature is valid. This makes it possible for unauthenticated attackers to mark any pending WooCommerce order as fully paid by sending a POST request to the success endpoint containing an arbitrary or forged signature value, allowing them to obtain goods or services without payment. Because WooCommerce order IDs are sequential integers, target orders are trivially enumerable via the order number POST parameter, requiring no prior knowledge of the victim order.

Correção

Improper Verification of Cryptographic Signature

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-9027

Produtos afetados

Corvuspay Woocommerce Payment Gateway