Vulnerabilities ›

CVE-2026-33661

High ⚡ Exploit Available

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all

CWE-290 — Weakness Type

                    Published: Mar 26, 2026                      ·  Modified: Apr 2, 2026                      ·  Source: NVD                

CVSS v3

8.6

🔗 NVD Official

📄 Description (English)

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue.

🤖 AI Executive Summary

CVE-2026-33661 is a critical authentication bypass vulnerability in the Pay SDK affecting WeChat payment processing. The vulnerability allows attackers to forge payment success notifications by sending requests with a 'Host: localhost' header, completely bypassing RSA signature verification. This could enable fraudulent transactions and financial loss for e-commerce platforms and payment processors using affected versions prior to 3.7.20.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 02:49

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses severe risk to Saudi financial institutions, e-commerce platforms, and fintech companies integrating WeChat Pay for cross-border transactions. Primary impact sectors: Banking (payment processing systems), E-commerce (online retailers), Telecom (STC, Zain payment services), and Government (digital payment initiatives). Organizations processing WeChat payments for Chinese customers or international transactions are at highest risk. Potential impact includes unauthorized payment confirmations, revenue loss, and regulatory violations under SAMA oversight.

🏢 Affected Saudi Sectors

Banking E-commerce Fintech Telecom Government Retail

🎯 MITRE ATT&CK Techniques

T1589 - Gather Victim Identity Information (forging payment notifications) T1566 - Phishing (crafted HTTP requests) T1040 - Network Sniffing (Host header manipulation) T1578 - Modify Cloud Compute Infrastructure (localhost bypass) T1556 - Modify Authentication Process (signature verification bypass)

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all systems using Pay SDK versions prior to 3.7.20 by scanning composer.lock and dependency manifests

2. Isolate affected payment processing systems from production if critical

3. Review payment callback logs for suspicious 'Host: localhost' requests in the past 90 days

4. Implement WAF rules to block requests with 'Host: localhost' header to payment endpoints



PATCHING:

1. Update Pay SDK to version 3.7.20 or later immediately: composer update yansongda/pay

2. Test payment callback functionality in staging environment before production deployment

3. Verify signature verification is functioning correctly post-patch



COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement reverse proxy validation to reject requests with 'Host: localhost' header

2. Add IP whitelist validation for WeChat callback servers (only allow WeChat's official IPs)

3. Implement additional HMAC validation layer independent of SDK

4. Enable request logging and alerting for localhost-based payment callbacks



DETECTION:

1. Monitor access logs for HTTP requests to payment callback endpoints with 'Host: localhost'

2. Alert on payment success notifications without corresponding payment gateway confirmations

3. Track discrepancies between WeChat merchant backend and application payment records

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تستخدم إصدارات Pay SDK السابقة للإصدار 3.7.20 بمسح ملفات composer.lock

2. عزل أنظمة معالجة الدفع المتأثرة عن الإنتاج إذا كانت حرجة

3. مراجعة سجلات رد الاتصال للدفع بحثاً عن طلبات مريبة برأس 'Host: localhost' في آخر 90 يوماً

4. تطبيق قواعد WAF لحجب الطلبات برأس 'Host: localhost' إلى نقاط نهاية الدفع

التصحيح:

1. تحديث Pay SDK إلى الإصدار 3.7.20 أو أحدث فوراً: composer update yansongda/pay

2. اختبار وظيفة رد الاتصال للدفع في بيئة التجريب قبل نشر الإنتاج

3. التحقق من أن التحقق من التوقيع يعمل بشكل صحيح بعد التصحيح

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تطبيق التحقق من الخادم الوكيل العكسي لرفض الطلبات برأس 'Host: localhost'

2. إضافة التحقق من قائمة IP البيضاء لخوادم رد الاتصال WeChat

3. تطبيق طبقة التحقق من HMAC الإضافية المستقلة عن SDK

4. تفعيل تسجيل الطلبات والتنبيهات لرد الاتصال للدفع المستند إلى localhost

الكشف:

1. مراقبة سجلات الوصول للطلبات إلى نقاط نهاية رد الاتصال للدفع برأس 'Host: localhost'

2. التنبيه على إشعارات نجاح الدفع بدون تأكيدات بوابة دفع مقابلة

3. تتبع التناقضات بين خادم تاجر WeChat وسجلات الدفع في التطبيق

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (SDK vendor security) ECC 2024 A.14.2.5 - Supplier security incident management ECC 2024 A.12.6.1 - Management of technical vulnerabilities

🔵 SAMA CSF

SAMA CSF 2.2 - Secure Software Development (vulnerable code in payment SDK) SAMA CSF 3.1 - Access Control (authentication bypass vulnerability) SAMA CSF 4.1 - Incident Detection and Response (payment fraud detection)

🟡 ISO 27001:2022

ISO 27001:2022 A.8.1 - User endpoint devices (request validation) ISO 27001:2022 A.8.3 - Access control (authentication mechanisms) ISO 27001:2022 A.14.2 - Supplier relationships (third-party SDK security)

🟣 PCI DSS v4.0.1

PCI DSS 3.2.1 - Strong cryptography for authentication (signature verification bypass) PCI DSS 6.2 - Security patches for payment systems PCI DSS 10.2 - Logging and monitoring of payment transactions

🔗 References & Sources 4

🔗

https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f

security-advisories@github.com

Patch

🔗

https://github.com/yansongda/pay/releases/tag/v3.7.20

security-advisories@github.com

Release Notes

🔗

https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc

security-advisories@github.com

Exploit Vendor Advisory

🔗

https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

yansongda:pay

📊 CVSS Score

8.6

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityN — None / Network

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score8.6

CWECWE-290

EPSS0.09%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-03-26

Source Feed nvd

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available patch-available CWE-290

🏢 Vendor Advisories

🔗 https://github.com/yansongda/pay/security/advisories... 🔗 https://github.com/yansongda/pay/security/advisories...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-33661

💬 Comments

Introduce Yourself

Sign In Required