CVE-2026-56048
Deferred Deferred - Pending Action
Unauthenticated IDOR in WooCommerce Payment Gateway Fees

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-56048
EUVD
EUVD-2026-39709
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack payment_gateway_based_fees_and_discounts_for_woocommerce to 3.0.0|start_including=3.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56048 is an Insecure Direct Object References (IDOR) vulnerability found in the WordPress plugin "Payment Gateway Based Fees and Discounts for WooCommerce" version 3.0.0 or below.

This vulnerability allows unauthenticated attackers to bypass authorization controls and directly access sensitive data or interact with the database due to broken access control mechanisms.

Because the flaw is unauthenticated, attackers do not need to log in or have any privileges to exploit it.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data or unauthorized interactions with the database.

Such unauthorized access can compromise the integrity of your data and potentially disrupt your e-commerce operations.

Given the CVSS score of 6.5, the vulnerability poses a moderate risk and has potential for mass exploitation if left unpatched.

Users are strongly advised to update the plugin to version 3.1.0 or later to mitigate this risk.

Mitigation Strategies

The vulnerability affects the Payment Gateway Based Fees and Discounts for WooCommerce plugin version 3.0.0 or below.

To mitigate this vulnerability, users should immediately update the plugin to version 3.1.0 or later.

If updating immediately is not possible, users are advised to seek assistance from their hosting provider or developer.

Note that no virtual patch can be applied due to the nature of the vulnerability.

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authorization and access sensitive data or interact with the database due to broken access control.

Such unauthorized access to sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.

Therefore, if exploited, this vulnerability could result in violations of these standards by exposing or compromising protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart