CVE-2026-33661

Name of the Vulnerable Software and Affected Versions Pay versions prior to 3.7.20

Description The verify wechat sign() function in src/Functions.php does not properly validate signatures when the Host header in a PSR-7 request is set to localhost. This allows an attacker to bypass the RSA signature check by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header. This can lead to the forging of fake WeChat Pay payment success notifications, potentially resulting in applications incorrectly marking orders as paid without actual payment. The vulnerable code is located in src/Functions.php lines 243-246. The function verify wechat sign() is vulnerable. The API endpoint affected is the WeChat Pay callback endpoint. The Host header is a vulnerable parameter.

Recommendations Versions prior to 3.7.20 should be updated to version 3.7.20 or later.