CVE-2026-9027 MEDIUM

CVE-2026-9027: CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Unauthenticated Improper Verification of Cryptographic Signature to Payment Bypass via /wp-json/corvuspay/success/ REST Endpoint

Vendor Corvusinfo
Product CorvusPay WooCommerce Payment Gateway
Weakness CWE-347
Published July 9, 2026
Last update July 9, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The `corvuspay_success_handler` function registers the REST endpoint `POST /wp-json/corvuspay/success/` with `'permission_callback' => '__return_true'`, and while it calls `$this->client->validate->signature()` and stores the boolean result in `$res`, the result is never evaluated in a conditional — it is only written to the debug log — causing execution to unconditionally reach `$order->payment_complete()` regardless of whether the cryptographic signature is valid. This makes it possible for unauthenticated attackers to mark any pending WooCommerce order as fully paid by sending a POST request to the success endpoint containing an arbitrary or forged signature value, allowing them to obtain goods or services without payment. Because WooCommerce order IDs are sequential integers, target orders are trivially enumerable via the `order_number` POST parameter, requiring no prior knowledge of the victim order.

Explanation of Vulnerability in Simple Terms

02Summary

CorvusPay WooCommerce Payment Gateway versions up to 2.7.4 contain an integrity vulnerability that allows attackers to modify data in transit without authentication. The flaw stems from improper cryptographic signature validation (CWE-347). An attacker on the network can intercept and alter payment-related communications. Update to a version newer than 2.7.4 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify payment data or transaction details in transit without authentication.

Potential impact on your site

04Site Impact

Payment transactions may be altered or corrupted, risking financial loss and customer trust.

Conditions required to exploit

05Prerequisites

Network access to intercept traffic; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 9, 2026 CVE published
July 9, 2026 Record updated

Related vulnerabilities

08Related CVE