CVE-2026-5050

Name of the Vulnerable Software and Affected Versions Payment Gateway for Redsys & WooCommerce Lite versions prior to 7.0.1

Description The plugin is subject to improper verification of cryptographic signatures. The successful request() handlers calculate a local signature but fail to validate the Ds Signature from the request before accepting payment status within the Redsys, Bizum, and Google Pay gateway flows. This allows unauthenticated attackers who possess a valid order key and order amount to forge payment callback data, marking pending orders as paid and potentially obtaining products or services without payment.

Recommendations Update to a version later than 7.0.0.