Vulnerabilities ›

CVE-2026-0656

High

iPaymu Payment Gateway Authentication Bypass Enables Order Fraud and Data Exposure

CWE-862 — Weakness Type

                    Published: Jan 7, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

8.2

🔗 NVD Official

📄 Description (English)

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.

🤖 AI Executive Summary

The iPaymu Payment Gateway plugin for WordPress lacks authentication in its webhook handler, allowing attackers to mark orders as paid without actual payment and enumerate customer data. Unauthenticated attackers can access sensitive order information including customer names, addresses, and purchase history through GET requests.

📄 Description (Arabic)

تفتقر إضافة بوابة الدفع iPaymu لـ WooCommerce إلى آلية المصادقة في معالج webhook الخاص بها، مما يسمح للمهاجمين بتحديد الطلبات كمدفوعة دون حدوث دفع فعلي. يمكن للمهاجمين غير المصرح لهم الوصول إلى معلومات الطلبات الحساسة بما في ذلك أسماء العملاء والعناوين وسجل المشتريات من خلال طلبات GET.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 1, 2026 13:37

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom government healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1566 T1589 T1592 T1110

⚖️ Saudi Risk Score (AI)

8.0

/ 10.0

🔧 Remediation Steps (English)

Update the iPaymu Payment Gateway plugin to version 2.0.3 or later immediately. Implement webhook signature verification using HMAC-SHA256 or similar cryptographic methods. Add origin validation checks for webhook requests. Restrict webhook endpoint access to known iPaymu IP addresses. Implement rate limiting on webhook and enumeration endpoints. Audit logs for unauthorized webhook attempts and order enumeration activities.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة بوابة الدفع iPaymu إلى الإصدار 2.0.3 أو أحدث فوراً. قم بتنفيذ التحقق من توقيع webhook باستخدام HMAC-SHA256 أو طرق تشفيرية مماثلة. أضف فحوصات التحقق من أصل الطلبات. قيد الوصول إلى نقطة نهاية webhook لعناوين IP معروفة من iPaymu. طبق تحديد معدل الطلبات على نقاط النهاية. قم بمراجعة السجلات للكشف عن محاولات webhook غير المصرح بها.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.2.1 5.2.2

🔵 SAMA CSF

CC-6.1 CC-6.2 CC-7.2

🟡 ISO 27001:2022

A.9.2.1 A.9.4.3 A.14.2.1

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/ipaymu-for-woocommerce/tags/2.0.2/gateway.ph...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=342965...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/7e639aed-ec67-4212-9051-1f746...

security@wordfence.com

📊 CVSS Score

8.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score8.2

CWECWE-862

EPSS0.26%

Exploit No

Patch ✓ Yes

Published 2026-01-07

Source Feed nvd

🇸🇦 Saudi Risk Score

8.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-862

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-0656

💬 Comments

Introduce Yourself

Sign In Required