CVE-2026-0692 is a missing authorization vulnerability (CWE-862) in the BlueSnap Payment Gateway for WooCommerce plugin for WordPress, affecting all versions up to 3.4.0. The plugin improperly validates IPN requests by relying on WooCommerce's WC_Geolocation::get_ip_address() function, which uses user-controllable HTTP headers to determine client IP addresses. This trust in spoofable headers enables unauthenticated attackers to bypass IP allowlist restrictions by spoofing BlueSnap IP addresses. Consequently, attackers can send forged IPN data to manipulate order statuses without authorization, impacting the integrity of order processing.

The vulnerability allows unauthenticated attackers to bypass IP allowlist restrictions and send forged IPN messages to the BlueSnap Payment Gateway for WooCommerce plugin. This can lead to unauthorized manipulation of order statuses, including marking orders as paid, failed, refunded, or on-hold. The integrity of order processing is compromised, potentially causing financial discrepancies and operational issues. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix is documented in the provided information, users should monitor the vendor's communications for updates. As a temporary mitigation, avoid relying solely on IP address validation using user-controllable headers for IPN requests. Implement additional authorization checks or restrict IPN processing to verified sources through more robust methods. Do not trust HTTP headers like X-Real-IP or X-Forwarded-For for security decisions until a fix is available.