What the vulnerability does
01Description
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
Explanation of Vulnerability in Simple Terms
02Summary
The iPaymu Payment Gateway for WooCommerce plugin fails to properly check user permissions before allowing access to sensitive payment functions. An attacker without authentication can read payment data and modify transaction records. All versions up to 2.0.2 are affected. Update to a version newer than 2.0.2 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read payment transaction data and modify transaction records without authentication.
Potential impact on your site
04Site Impact
Customer payment data exposed; transaction integrity compromised; potential financial and compliance liability.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 7, 2026
CVE published
April 8, 2026
Record updated