CVE-2026-1305
Improper Authentication in Japanized WooCommerce Enables Order Fraud
Publication date: 2026-02-27
Last updated on: 2026-02-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | the_japanized_for_woocommerce_plugin | to 2.8.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Japanized for WooCommerce plugin for WordPress has a vulnerability in versions up to and including 2.8.4 caused by improper authentication. Specifically, the function `paidy_webhook_permission_check` has a flawed permission check that always returns true if the webhook signature header is missing. This allows attackers who are not authenticated to bypass payment verification.
As a result, an attacker can send a crafted POST request to the Paidy webhook endpoint and fraudulently mark orders as "Processing" or "Completed" without actually making a payment.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to fraudulently mark orders as paid or completed without actual payment. This can lead to financial losses for merchants using the Japanized for WooCommerce plugin, as they may fulfill orders that were never legitimately paid for.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know