CVE-2026-3640
Received Received - Intake
Missing Authentication in STRABL WordPress Plugin

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Wordfence

Description
The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees β€” all without making a legitimate payment or having any valid credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-3640
EUVD
EUVD-2026-37995
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
strabl strabl to 4.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The STRABL checkout solution plugin for WordPress has a vulnerability called Missing Authentication in all versions up to and including 4.5. The plugin exposes a REST API webhook endpoint at /wp-json/strabl/webhook/order that does not require any authentication or authorization because its permission callback always returns true.

This means anyone can send requests to this endpoint without credentials, shared secrets, signatures, HMAC verification, or tokens.

As a result, attackers can create fraudulent WooCommerce orders marked as paid, manipulate order statuses, create new WordPress user accounts with customer roles, issue refunds, cancel orders, and apply chargeback fees without making legitimate payments or having valid credentials.

Impact Analysis

This vulnerability can lead to significant financial and operational impacts. Attackers can create fake orders marked as paid, causing revenue loss.

They can manipulate existing orders by changing their status, issue unauthorized refunds, cancel legitimate orders, and apply chargeback fees, all without authorization.

Additionally, attackers can create new WordPress user accounts with customer roles, potentially leading to further abuse or exploitation of the system.

Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated HTTP requests to the REST API endpoint /wp-json/strabl/webhook/order on your WordPress site.

You can use network traffic inspection tools or web server logs to identify such requests.

For example, using command line tools, you can search your web server access logs for requests to the vulnerable endpoint:

  • grep "/wp-json/strabl/webhook/order" /var/log/apache2/access.log
  • grep "/wp-json/strabl/webhook/order" /var/log/nginx/access.log

Additionally, you can use curl or similar tools to test if the endpoint is accessible without authentication:

  • curl -i https://yourwordpresssite.com/wp-json/strabl/webhook/order
Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the vulnerable REST API endpoint /wp-json/strabl/webhook/order.

You should update the STRABL plugin to a version that fixes this authentication issue once available.

In the meantime, you can implement firewall rules or web server configurations to block unauthenticated access to this endpoint.

Monitoring for suspicious activity related to order creation or modification is also recommended.

Compliance Impact

The vulnerability allows unauthenticated attackers to manipulate WooCommerce orders and create user accounts without authorization, which could lead to unauthorized access and fraudulent transactions.

Such unauthorized actions may result in violations of data protection and security requirements mandated by standards like GDPR and HIPAA, as these regulations require proper authentication and protection of personal and transactional data.

However, the provided information does not explicitly describe the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3640. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart