CVE-2020-8819

Name of the Vulnerable Software and Affected Versions CardGate Payments plugin for WooCommerce versions through 3.1.15

Description The issue is related to a lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php. This allows an attacker to remotely replace critical plugin settings, such as merchant ID and secret key, and bypass the payment process. For example, an attacker can spoof an order status by manually sending an IPN callback request with a valid signature but without real payment, and/or receive all of the subsequent payments.

Recommendations For CardGate Payments plugin for WooCommerce versions through 3.1.15, update to a version later than 3.1.15 to resolve the issue. As a temporary workaround, consider restricting access to the IPN callback processing function in cardgate/cardgate.php to minimize the risk of exploitation. Avoid using the IPN callback request with a valid signature but without real payment until the issue is resolved.