CVE-2026-11575
Received Received - Intake

Unauthenticated Payment Forgery in PhonePe WordPress Plugin

Vulnerability report for CVE-2026-11575, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: WPScan

Description

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash of the request body that anyone can compute. This allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
phonepe payment_solutions to 3.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The PhonePe Payment Solutions WordPress plugin before version 3.1.0 has a flaw where it does not properly verify payment callbacks. The secret key used to validate callback signatures is empty during setup, making the expected signature just a hash of the request body. Attackers can forge payment-success notifications to mark unpaid WooCommerce orders as paid without any actual payment.

Detection Guidance

Check the installed version of the PhonePe Payment Solutions plugin in WordPress. If it is below 3.1.0, the system is vulnerable. Use commands like 'wp plugin list' in WordPress CLI or inspect the plugin files directly.

Impact Analysis

This vulnerability allows unauthenticated attackers to trick your system into recording fake payments. If exploited, unpaid orders may be marked as paid, leading to financial losses or incorrect order fulfillment. It could also disrupt business operations or damage customer trust.

Compliance Impact

This vulnerability could lead to non-compliance with data integrity and financial transaction regulations like GDPR (data accuracy) or PCI DSS (payment security). Incorrect payment records may violate audit trails, risking legal penalties or loss of certification.

Mitigation Strategies

Update the PhonePe Payment Solutions plugin to version 3.1.0 or later immediately. If an update is not available, disable the plugin temporarily until a patch is released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11575. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart