What the vulnerability does
01Description
The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue.
Explanation of Vulnerability in Simple Terms
02Summary
The Crypto Payment Gateway with Payeer for WooCommerce plugin through version 1.0.3 lacks proper authorization checks on sensitive operations. An attacker can modify payment data or transaction records without authentication. This affects all installations of the plugin and requires immediate patching to prevent unauthorized payment manipulation.
What an attacker can do
03Attacker Capabilities
Modify payment records or transaction data without logging in to the site.
Potential impact on your site
04Site Impact
Attackers can alter payment amounts, statuses, or customer records, leading to financial loss and order fraud.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 4, 2025
CVE published
April 8, 2026
Record updated