The vulnerability CVE-2026-33661 affects the yansongda pay SDK, an open-source payment extension widely used for integrating Chinese payment services such as WeChat Pay. The root cause lies in the verify_wechat_sign() function within src/Functions.php, which unconditionally bypasses signature verification when the PSR-7 HTTP request's Host header is set to 'localhost'. This logic flaw allows an attacker to craft an HTTP request to the WeChat Pay callback endpoint with a manipulated 'Host: localhost' header, causing the SDK to skip the critical RSA signature verification step. Consequently, the attacker can forge fake payment success notifications that the application trusts, leading to fraudulent order fulfillment without actual payment. The vulnerability is present in all versions before 3.7.20, where the issue has been corrected by enforcing proper signature verification regardless of the Host header. The CVSS 3.1 score of 8.6 reflects the network attack vector, no required privileges or user interaction, and the high impact on integrity with a scope change since the application’s trust boundary is compromised. Although no exploits have been publicly reported, the simplicity of the attack vector and the critical nature of payment processing make this a significant threat to affected applications.

This vulnerability can have severe consequences for organizations relying on the yansongda pay SDK for WeChat Pay integrations. Attackers can bypass payment verification, causing applications to mark orders as paid without actual transactions, leading to direct financial losses and potential fraud. This undermines the integrity of payment systems, damages customer trust, and may result in chargebacks or legal liabilities. The scope of impact includes any e-commerce platforms, financial services, or applications using vulnerable versions of the SDK, especially those processing high volumes of transactions. Additionally, the breach of payment integrity can facilitate further fraudulent activities, including unauthorized access to services or goods. The lack of authentication or user interaction requirements makes exploitation straightforward for remote attackers, increasing the risk of widespread abuse if the vulnerability is not promptly addressed.

Organizations should immediately upgrade the yansongda pay SDK to version 3.7.20 or later, where the vulnerability is fixed by enforcing signature verification regardless of the Host header. Until the upgrade is applied, implement strict validation of incoming HTTP Host headers at the web server or application firewall level to reject requests with 'localhost' or other suspicious values. Additionally, monitor payment callback endpoints for anomalous traffic patterns or unexpected Host headers. Employ network segmentation and access controls to limit exposure of payment callback endpoints to trusted sources only. Conduct thorough code reviews and security testing on payment processing logic to detect similar bypass conditions. Finally, maintain an incident response plan to quickly address any suspected fraudulent transactions resulting from this vulnerability.