The Japanized for WooCommerce plugin, widely used to localize WooCommerce stores for Japanese users, contains an improper authentication vulnerability identified as CVE-2026-1305. The root cause is a flawed permission check in the `paidy_webhook_permission_check` function, which is responsible for verifying the legitimacy of incoming webhook requests from the Paidy payment service. Specifically, if the webhook signature header is omitted, the function erroneously returns true, effectively bypassing authentication. This allows an attacker to craft a POST request to the Paidy webhook endpoint that marks orders as "Processing" or "Completed" without any actual payment being made. The vulnerability does not expose sensitive data (no confidentiality impact) nor does it disrupt service availability, but it compromises the integrity of order status data, enabling fraudulent order processing. The vulnerability affects all versions up to and including 2.8.4 of the plugin. Although no public exploits have been reported, the vulnerability is remotely exploitable without authentication or user interaction, increasing the risk of exploitation. The CVSS 3.1 base score is 5.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity. The flaw is categorized under CWE-287 (Improper Authentication).

This vulnerability allows attackers to bypass payment verification mechanisms and fraudulently update order statuses in WooCommerce stores using the Japanized for WooCommerce plugin. The primary impact is on data integrity, as attackers can mark unpaid orders as paid, potentially leading to financial losses, inventory mismanagement, and reputational damage for affected merchants. While confidentiality and availability are not directly impacted, the trustworthiness of the e-commerce transaction process is undermined. Organizations relying on this plugin for payment processing in WooCommerce are at risk of fraudulent transactions and chargebacks. The ease of exploitation without authentication and user interaction increases the likelihood of automated or targeted attacks. This can affect online retailers’ revenue and customer trust, especially those with high transaction volumes or limited manual order verification processes.

To mitigate this vulnerability, organizations should immediately update the Japanized for WooCommerce plugin to a patched version once available. In the absence of an official patch, implement manual verification of webhook requests by validating the presence and correctness of the webhook signature header before processing any order status updates. Employ additional webhook security measures such as IP whitelisting for known Paidy webhook IP addresses, rate limiting webhook endpoints, and logging all webhook activity for anomaly detection. Merchants should also consider implementing secondary verification steps for order status changes, such as manual review or cross-checking payment gateway records. Regularly audit WooCommerce plugins for updates and security advisories. Finally, educate development and operations teams about the risks of improper authentication in webhook handlers and enforce secure coding practices for third-party integrations.