What the vulnerability does
01Description
The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization.
Explanation of Vulnerability in Simple Terms
02Summary
The BlueSnap Payment Gateway for WooCommerce versions 3.4.0 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify payment data or transaction records over the network. No user interaction is required. This affects the integrity of payment processing and order data on affected WooCommerce sites.
What an attacker can do
03Attacker Capabilities
Modify payment data or transaction records without authentication.
Potential impact on your site
04Site Impact
Attackers can alter payment information, orders, or transaction records, compromising payment integrity and customer trust.
Conditions required to exploit
05Prerequisites
Network access to the WooCommerce site; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 14, 2026
CVE published
April 8, 2026
Record updated