What the vulnerability does
01Description
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.
Explanation of Vulnerability in Simple Terms
02Summary
A vulnerability exists in Eupago Gateway For Woocommerce versions before 4.7.2. The specific attack vector and impact are not yet documented. Site administrators running affected versions should update to 4.7.2 or later. Additional technical details will be available as the vulnerability is analyzed.
What an attacker can do
03Attacker Capabilities
Unknown; insufficient technical data available.
Potential impact on your site
04Site Impact
Sites running Eupago Gateway For Woocommerce < 4.7.2 may be at risk; update immediately.
Conditions required to exploit
05Prerequisites
Unknown; insufficient technical data available.
Key dates
06Disclosure timeline
May 28, 2026
CVE published
May 28, 2026
Record updated