CVE-2026-2381
Deferred Deferred - Pending Action

Unauthenticated Order Status Change in WooCommerce Stripe Gateway

Vulnerability report for CVE-2026-2381, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woocommerce stripe_payment_gateway to 10.7.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WooCommerce Stripe Payment Gateway plugin for WordPress has a vulnerability in the ajax_pay_for_order() function up to version 10.7.0. This function lacks proper capability checks and does not verify if the user owns the order or has the correct order key when processing payments via the wc_stripe_pay_for_order WC-AJAX endpoint.

Although the function validates a nonce, this nonce is publicly available on any WooCommerce page with Express Checkout enabled, so it does not provide sufficient protection.

As a result, unauthenticated attackers can manipulate pending orders by forcing them into a failed status using a fake payment method. This is done by enumerating order IDs sequentially and causing payment exceptions that update the order status to "failed."

Impact Analysis

This vulnerability allows unauthenticated attackers to modify order data without authorization.

Specifically, attackers can force any pending order into a failed status by submitting fake payment information, which disrupts the normal payment process.

This can lead to denial of service for legitimate customers trying to complete their purchases, potential loss of sales, and administrative overhead to resolve incorrect order statuses.

Detection Guidance

This vulnerability involves unauthorized modification of WooCommerce orders via the wc_stripe_pay_for_order WC-AJAX endpoint, exploiting missing ownership verification. Detection would involve monitoring for unusual or unauthorized AJAX requests to this endpoint, especially those that attempt to change order statuses without proper authentication.

Since the vulnerability allows unauthenticated attackers to enumerate sequential order IDs and force orders into a failed status, you can detect suspicious activity by checking your web server or application logs for repeated requests to the wc_stripe_pay_for_order endpoint with varying order IDs.

Example commands to detect such activity might include searching your web server logs for requests to the vulnerable endpoint:

  • grep 'wc_stripe_pay_for_order' /var/log/apache2/access.log
  • grep 'wc_stripe_pay_for_order' /var/log/nginx/access.log

Additionally, monitoring for a high number of failed order status changes or payment exceptions in WooCommerce logs or database entries could indicate exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should update the WooCommerce Stripe Payment Gateway plugin to a version later than 10.7.0 where the missing capability check on the ajax_pay_for_order() function is fixed.

If an immediate update is not possible, consider temporarily disabling the Stripe Payment Gateway plugin or restricting access to the wc_stripe_pay_for_order WC-AJAX endpoint to authenticated users only, to prevent unauthenticated attackers from exploiting the missing order ownership verification.

Additionally, monitor your WooCommerce orders for any suspicious status changes to 'failed' that could indicate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2381. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart