633Kh4Ck

**Name of the Vulnerable Software and Affected Versions** CardGate Payments plugin versions through 2.0.30 for Magento 2 **Description** The issue is related to the lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php. This allows an attacker to remotely replace critical plugin settings, such as `merchant ID` and `secret key`, and bypass the payment process. For example, an attacker can spoof an order status by manually sending an IPN callback request with a valid signature but without real payment, and/or receive all of the subsequent payments. **Recommendations** For CardGate Payments plugin versions through 2.0.30, consider disabling the IPN callback processing function in Controller/Payment/Callback.php until a patch is available to prevent remote replacement of critical plugin settings. Restrict access to the `Callback.php` file to minimize the risk of exploitation. Avoid using the IPN callback request with a valid signature but without real payment until the issue is resolved.