CVE-2026-0656: CWE-862 Missing Authorization in ipaymu iPaymu Payment Gateway for WooCommerce
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
AI Analysis
Technical Summary
CVE-2026-0656 is a missing authorization vulnerability (CWE-862) in the iPaymu Payment Gateway for WooCommerce plugin for WordPress, affecting all versions up to 2.0.2. The vulnerability arises because the plugin does not validate webhook request authenticity through signature verification or origin checks in the 'check_ipaymu_response' function. This allows unauthenticated attackers to manipulate order payment status by sending crafted POST requests to the webhook endpoint and to enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII.
Potential Impact
An attacker can mark WooCommerce orders as paid without making any payment, potentially leading to financial loss for merchants. The attacker can also enumerate order IDs and retrieve valid order keys, exposing sensitive customer information including names, addresses, and details of purchased products. There is no indication of availability impact. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, users should consider disabling the iPaymu Payment Gateway plugin or restricting access to the webhook endpoint to trusted sources if possible. Monitor vendor communications for updates and apply official patches once available.
CVE-2026-0656: CWE-862 Missing Authorization in ipaymu iPaymu Payment Gateway for WooCommerce
Description
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-0656 is a missing authorization vulnerability (CWE-862) in the iPaymu Payment Gateway for WooCommerce plugin for WordPress, affecting all versions up to 2.0.2. The vulnerability arises because the plugin does not validate webhook request authenticity through signature verification or origin checks in the 'check_ipaymu_response' function. This allows unauthenticated attackers to manipulate order payment status by sending crafted POST requests to the webhook endpoint and to enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII.
Potential Impact
An attacker can mark WooCommerce orders as paid without making any payment, potentially leading to financial loss for merchants. The attacker can also enumerate order IDs and retrieve valid order keys, exposing sensitive customer information including names, addresses, and details of purchased products. There is no indication of availability impact. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, users should consider disabling the iPaymu Payment Gateway plugin or restricting access to the webhook endpoint to trusted sources if possible. Monitor vendor communications for updates and apply official patches once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-06T18:32:43.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e0294a55ed4ed9984d573
Added to database: 1/7/2026, 6:52:04 AM
Last enriched: 4/9/2026, 6:19:23 PM
Last updated: 5/9/2026, 11:04:37 PM
Views: 282
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.