CVE-2026-2381
Received Received - Intake
Unauthenticated Order Status Change in WooCommerce Stripe Gateway

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-2381
EUVD
EUVD-2026-37059
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
woocommerce stripe_payment_gateway to 10.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WooCommerce Stripe Payment Gateway plugin for WordPress has a vulnerability in the ajax_pay_for_order() function up to version 10.7.0. This function lacks proper capability checks and does not verify if the user owns the order or has the correct order key when processing payments via the wc_stripe_pay_for_order WC-AJAX endpoint.

Although the function validates a nonce, this nonce is publicly available on any WooCommerce page with Express Checkout enabled, so it does not provide sufficient protection.

As a result, unauthenticated attackers can manipulate pending orders by forcing them into a failed status using a fake payment method. This is done by enumerating order IDs sequentially and causing payment exceptions that update the order status to "failed."

Impact Analysis

This vulnerability allows unauthenticated attackers to modify order data without authorization.

Specifically, attackers can force any pending order into a failed status by submitting fake payment information, which disrupts the normal payment process.

This can lead to denial of service for legitimate customers trying to complete their purchases, potential loss of sales, and administrative overhead to resolve incorrect order statuses.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2381. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart