CVE-2026-0656

Name of the Vulnerable Software and Affected Versions iPaymu Payment Gateway for WooCommerce plugin for WordPress versions up to and including 2.0.2

Description The iPaymu Payment Gateway for WooCommerce plugin for WordPress is susceptible to missing authentication. This occurs because the plugin does not validate the authenticity of webhook requests through signature verification or origin checks. An unauthenticated attacker can send crafted POST requests to the webhook endpoint to falsely mark WooCommerce orders as paid, without actual payment. Additionally, attackers can enumerate order IDs and obtain valid order keys via GET requests, potentially exposing customer Personally Identifiable Information (PII) such as names, addresses, and purchased products. The vulnerable function is check ipaymu response.

Recommendations Update the iPaymu Payment Gateway for WooCommerce plugin for WordPress to a version later than 2.0.2.