CVE-2026-0679 identifies a missing authorization vulnerability (CWE-862) in the Fortis for WooCommerce plugin for WordPress, specifically in the 'check_fortis_notify_response' function. The vulnerability stems from an inverted nonce check, which is a security mechanism designed to validate the authenticity of requests and prevent CSRF (Cross-Site Request Forgery) attacks. Due to this flawed logic, the plugin incorrectly authorizes requests, allowing unauthenticated attackers to bypass authorization controls. This enables them to update arbitrary WooCommerce order statuses to 'paid', 'processing', or 'completed' without making any actual payment. The vulnerability affects all versions up to and including 1.2.0. The CVSS 3.1 base score is 5.3 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). This means the attack can be executed remotely without authentication or user interaction, but it only impacts the integrity of order statuses. No patches or known exploits have been reported at the time of publication. The vulnerability could be exploited by attackers to fraudulently mark orders as paid, potentially causing financial loss and operational disruption for e-commerce merchants using this plugin.

The primary impact of this vulnerability is financial fraud and operational disruption for e-commerce businesses using the Fortis for WooCommerce plugin. Attackers can manipulate order statuses to appear paid without actual payment, leading to unauthorized order fulfillment and revenue loss. This undermines the trustworthiness of the payment processing workflow and can result in inventory depletion, shipping costs for unpaid orders, and customer service challenges. Additionally, the integrity of order data is compromised, which may affect accounting and reconciliation processes. Although the vulnerability does not directly impact confidentiality or availability, the integrity breach can have cascading effects on business operations and customer trust. Organizations relying on this plugin risk financial damage and reputational harm if exploited. The lack of required authentication and user interaction makes exploitation relatively easy, increasing the likelihood of attacks if unmitigated.

To mitigate this vulnerability, organizations should immediately update the Fortis for WooCommerce plugin to a patched version once available. In the absence of an official patch, administrators should implement strict access controls to restrict access to the plugin’s notification endpoints, such as IP whitelisting or web application firewall (WAF) rules that block unauthorized requests. Monitoring and logging all order status changes can help detect suspicious activity early. Additionally, merchants should consider implementing secondary verification mechanisms for order status changes, such as manual review or confirmation for high-value orders. Disabling the plugin temporarily or switching to alternative payment processing solutions may be necessary if a patch is not yet released. Regularly auditing plugin configurations and keeping WordPress and all plugins updated reduces exposure to similar vulnerabilities. Finally, educating staff about potential fraud scenarios can improve incident response readiness.