The iPaymu Payment Gateway for WooCommerce plugin suffers from a CWE-862 Missing Authorization vulnerability identified as CVE-2026-0656. The root cause is the lack of proper authentication and origin verification in the 'check_ipaymu_response' webhook endpoint, which processes payment notifications. Without validating request signatures or verifying the source, the plugin accepts any incoming POST request as legitimate, allowing attackers to mark orders as paid fraudulently. This bypasses the payment verification process, enabling financial fraud and order manipulation. Furthermore, the plugin exposes an endpoint accessible via GET requests that allows enumeration of order IDs and retrieval of valid order keys. This leads to unauthorized disclosure of customer PII, including names, shipping addresses, and details of purchased products. The vulnerability affects all versions up to 2.0.2, with no authentication or user interaction required for exploitation. The CVSS 3.1 base score is 8.2, reflecting high impact on confidentiality and integrity, with network attack vector and low attack complexity. Although no public exploits are reported, the vulnerability poses a serious risk to WooCommerce merchants using iPaymu, potentially resulting in fraudulent transactions, reputational damage, and regulatory compliance issues related to data privacy.

This vulnerability can have severe consequences for organizations running WooCommerce stores with the iPaymu Payment Gateway plugin. Attackers can fraudulently mark orders as paid, leading to financial losses due to shipment of goods without actual payment. The ability to enumerate order IDs and extract customer PII increases the risk of privacy violations, identity theft, and regulatory penalties under data protection laws such as GDPR or CCPA. The integrity of the order processing system is compromised, undermining trust in the e-commerce platform. Additionally, attackers could use the exposed information for targeted phishing or social engineering attacks. The lack of authentication and ease of exploitation mean that any attacker on the internet can attempt to exploit this flaw, potentially affecting a large number of WooCommerce merchants globally. This could also lead to increased chargebacks and disputes, impacting merchant reputation and payment processor relationships.

Immediate mitigation should include disabling the iPaymu Payment Gateway plugin until a patched version is released. Merchants should monitor order statuses for suspicious activity and verify payments through alternative means. Implementing network-level restrictions such as IP whitelisting for webhook endpoints can reduce exposure. If possible, add custom middleware to validate webhook requests by checking for shared secrets or HMAC signatures before processing. Merchants should also audit logs to detect unauthorized access or manipulation attempts. Updating to a patched version once available is critical. Additionally, WooCommerce administrators should enforce least privilege principles and ensure that order data is not publicly accessible via unauthenticated endpoints. Regular security assessments and penetration testing of payment integrations can help identify similar issues proactively. Finally, educating staff about potential fraud indicators and maintaining compliance with data protection regulations will help mitigate downstream risks.