CVE-2026-2381 is a missing authorization vulnerability (CWE-862) in the WooCommerce Stripe Payment Gateway plugin for WordPress. The ajax_pay_for_order() function fails to verify that the user requesting payment processing owns the order or possesses the correct order key. Instead, it only validates a nonce that is publicly available on WooCommerce pages with Express Checkout enabled. This allows unauthenticated attackers to manipulate any pending order by providing a fake payment method through the wc_stripe_pay_for_order WC-AJAX endpoint, causing the order status to be updated to 'failed' due to a payment exception. The vulnerability affects all versions up to and including 10.7.0.

An attacker without authentication can cause integrity loss by forcing any pending order into a failed status, disrupting order processing and potentially causing denial of service to legitimate customers. There is no confidentiality impact, but the integrity and availability of order data are affected. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the wc_stripe_pay_for_order AJAX endpoint if possible, and monitor for suspicious activity related to order status changes. Avoid exposing nonces publicly if feasible. Follow vendor updates closely for an official patch or temporary mitigation.