CVE-2026-0692

Name of the Vulnerable Software and Affected Versions BlueSnap Payment Gateway for WooCommerce plugin for WordPress versions up to and including 3.3.0

Description The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is susceptible to unauthorized access. The plugin uses the WooCommerce WC Geolocation::get ip address() function to validate IPN requests, which relies on user-controlled headers such as X-Real-IP and X-Forwarded-For to determine the client IP address. This allows attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and sending forged IPN data. This manipulation can alter order statuses, including marking orders as paid, failed, refunded, or on-hold, without authorization.

Recommendations Update the BlueSnap Payment Gateway for WooCommerce plugin to a version later than 3.3.0.