CVE-2026-0656
Unknown Unknown - Not Provided
Missing Authentication in iPaymu WooCommerce Plugin Allows Order Manipulation and Data Exposure

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: Wordfence

Description
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0656
EUVD
EUVD-2026-1237
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ipaymu ipaymu-for-woocommerce to 2.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the iPaymu webhook endpoint used by the WooCommerce plugin, which do not include valid authentication signatures. Since the plugin does not verify webhook request authenticity, any crafted POST requests marking orders as paid without actual payment are suspicious. You can detect such activity by inspecting web server logs for POST requests to the webhook URL (e.g., endpoints handled by the 'check_ipaymu_response' function) that lack valid HMAC-SHA256 signatures or originate from unexpected IP addresses. Commands such as using 'grep' on access logs to find POST requests to the webhook endpoint, for example: `grep "POST /wp-json/wc/v3/ipaymu-webhook" /var/log/apache2/access.log` (adjust path and endpoint as per your setup). Additionally, monitoring for unusual order status changes in WooCommerce without corresponding payment confirmations can indicate exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include updating the iPaymu Payment Gateway for WooCommerce plugin to version 2.0.3 or later, which contains security fixes addressing this vulnerability. Until the update is applied, restrict access to the webhook endpoints by implementing IP whitelisting to allow only trusted iPaymu server IPs, or by adding additional authentication layers such as secret tokens or firewall rules. Also, monitor order statuses for suspicious changes and consider temporarily disabling the iPaymu payment gateway if feasible. Applying the update ensures proper request signing and validation mechanisms are in place to prevent unauthenticated order modifications. [2]

Executive Summary

The vulnerability in the iPaymu Payment Gateway for WooCommerce plugin (up to version 2.0.2) is due to missing authentication in the 'check_ipaymu_response' function. The plugin does not verify the authenticity of webhook requests through signature verification or origin checks. This allows unauthenticated attackers to send crafted POST requests to the webhook endpoint to mark orders as paid without actual payment. Additionally, attackers can use GET requests to enumerate order IDs and obtain valid order keys, exposing customer personally identifiable information (PII) such as names, addresses, and purchased products.

Impact Analysis

This vulnerability can allow attackers to fraudulently mark WooCommerce orders as paid without any real payment, potentially causing financial loss to the merchant. It also enables attackers to access sensitive customer information including names, addresses, and details of purchased products, leading to privacy breaches and potential misuse of customer data.

Compliance Impact

This vulnerability exposes customer personally identifiable information (PII) such as names, addresses, and purchased products due to lack of authentication and validation. Such exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0656. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart