Geekhack

**Name of the Vulnerable Software and Affected Versions** CardGate Payments plugin for WooCommerce versions through 3.1.15 **Description** The issue is related to a lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php. This allows an attacker to remotely replace critical plugin settings, such as `merchant ID` and `secret key`, and bypass the payment process. For example, an attacker can spoof an order status by manually sending an IPN callback request with a valid signature but without real payment, and/or receive all of the subsequent payments. **Recommendations** For CardGate Payments plugin for WooCommerce versions through 3.1.15, update to a version later than 3.1.15 to resolve the issue. As a temporary workaround, consider restricting access to the IPN callback processing function in cardgate/cardgate.php to minimize the risk of exploitation. Avoid using the IPN callback request with a valid signature but without real payment until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: GloBee plugin versions prior to 1.1.2 Description: The issue arises from the mishandling of IPN messages by the GloBee plugin. Recommendations: For versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue.