Harmz

**Name of the Vulnerable Software and Affected Versions** BlueSnap Payment Gateway for WooCommerce plugin for WordPress versions up to and including 3.3.0 **Description** The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is susceptible to unauthorized access. The plugin uses the WooCommerce `WC Geolocation::get ip address()` function to validate IPN requests, which relies on user-controlled headers such as `X-Real-IP` and `X-Forwarded-For` to determine the client IP address. This allows attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and sending forged IPN data. This manipulation can alter order statuses, including marking orders as paid, failed, refunded, or on-hold, without authorization. **Recommendations** Update the BlueSnap Payment Gateway for WooCommerce plugin to a version later than 3.3.0.