CVE-2026-0656
Missing Authentication in iPaymu WooCommerce Plugin Allows Order Manipulation and Data Exposure
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ipaymu | ipaymu-for-woocommerce | to 2.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the iPaymu Payment Gateway for WooCommerce plugin (up to version 2.0.2) is due to missing authentication in the 'check_ipaymu_response' function. The plugin does not verify the authenticity of webhook requests through signature verification or origin checks. This allows unauthenticated attackers to send crafted POST requests to the webhook endpoint to mark orders as paid without actual payment. Additionally, attackers can use GET requests to enumerate order IDs and obtain valid order keys, exposing customer personally identifiable information (PII) such as names, addresses, and purchased products.
How can this vulnerability impact me? :
This vulnerability can allow attackers to fraudulently mark WooCommerce orders as paid without any real payment, potentially causing financial loss to the merchant. It also enables attackers to access sensitive customer information including names, addresses, and details of purchased products, leading to privacy breaches and potential misuse of customer data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes customer personally identifiable information (PII) such as names, addresses, and purchased products due to lack of authentication and validation. Such exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the iPaymu webhook endpoint used by the WooCommerce plugin, which do not include valid authentication signatures. Since the plugin does not verify webhook request authenticity, any crafted POST requests marking orders as paid without actual payment are suspicious. You can detect such activity by inspecting web server logs for POST requests to the webhook URL (e.g., endpoints handled by the 'check_ipaymu_response' function) that lack valid HMAC-SHA256 signatures or originate from unexpected IP addresses. Commands such as using 'grep' on access logs to find POST requests to the webhook endpoint, for example: `grep "POST /wp-json/wc/v3/ipaymu-webhook" /var/log/apache2/access.log` (adjust path and endpoint as per your setup). Additionally, monitoring for unusual order status changes in WooCommerce without corresponding payment confirmations can indicate exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the iPaymu Payment Gateway for WooCommerce plugin to version 2.0.3 or later, which contains security fixes addressing this vulnerability. Until the update is applied, restrict access to the webhook endpoints by implementing IP whitelisting to allow only trusted iPaymu server IPs, or by adding additional authentication layers such as secret tokens or firewall rules. Also, monitor order statuses for suspicious changes and consider temporarily disabling the iPaymu payment gateway if feasible. Applying the update ensures proper request signing and validation mechanisms are in place to prevent unauthenticated order modifications. [2]