CVE-2026-3640: CWE-862 Missing Authorization in strablengineering STRABL – A checkout solution
The STRABL – A checkout solution WordPress plugin up to version 4.5 has a missing authorization vulnerability in its REST API webhook endpoint. The endpoint /wp-json/strabl/webhook/order allows unauthenticated access due to a permission callback that always returns true. This enables attackers to create fraudulent WooCommerce orders, manipulate order statuses, create user accounts with customer roles, issue refunds, cancel orders, and apply chargeback fees without valid credentials or payment.
AI Analysis
Technical Summary
CVE-2026-3640 describes a missing authorization vulnerability (CWE-862) in the STRABL – A checkout solution WordPress plugin. The plugin exposes a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback set to __return_true, effectively disabling any authentication or authorization checks. No mechanisms such as shared secrets, signature validation, HMAC verification, or token-based authentication are implemented. This flaw allows unauthenticated attackers to perform multiple unauthorized actions including creating and completing fraudulent WooCommerce orders, modifying existing orders, creating new WordPress user accounts with customer privileges, issuing refunds, canceling orders, and applying chargeback fees.
Potential Impact
The vulnerability allows unauthenticated attackers to manipulate WooCommerce orders and user accounts without any valid credentials or payment. This can lead to fraudulent transactions, unauthorized refunds, order cancellations, and creation of unauthorized user accounts with customer roles. While it does not impact confidentiality, it affects the integrity of order and user data, potentially causing financial loss and operational disruption for affected e-commerce sites.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, restrict access to the affected REST API endpoint by implementing custom authentication or authorization controls, such as requiring valid tokens or IP whitelisting. Monitor for unusual order activity and consider disabling the webhook endpoint if not in use.
CVE-2026-3640: CWE-862 Missing Authorization in strablengineering STRABL – A checkout solution
Description
The STRABL – A checkout solution WordPress plugin up to version 4.5 has a missing authorization vulnerability in its REST API webhook endpoint. The endpoint /wp-json/strabl/webhook/order allows unauthenticated access due to a permission callback that always returns true. This enables attackers to create fraudulent WooCommerce orders, manipulate order statuses, create user accounts with customer roles, issue refunds, cancel orders, and apply chargeback fees without valid credentials or payment.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3640 describes a missing authorization vulnerability (CWE-862) in the STRABL – A checkout solution WordPress plugin. The plugin exposes a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback set to __return_true, effectively disabling any authentication or authorization checks. No mechanisms such as shared secrets, signature validation, HMAC verification, or token-based authentication are implemented. This flaw allows unauthenticated attackers to perform multiple unauthorized actions including creating and completing fraudulent WooCommerce orders, modifying existing orders, creating new WordPress user accounts with customer privileges, issuing refunds, canceling orders, and applying chargeback fees.
Potential Impact
The vulnerability allows unauthenticated attackers to manipulate WooCommerce orders and user accounts without any valid credentials or payment. This can lead to fraudulent transactions, unauthorized refunds, order cancellations, and creation of unauthorized user accounts with customer roles. While it does not impact confidentiality, it affects the integrity of order and user data, potentially causing financial loss and operational disruption for affected e-commerce sites.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, restrict access to the affected REST API endpoint by implementing custom authentication or authorization controls, such as requiring valid tokens or IP whitelisting. Monitor for unusual order activity and consider disabling the webhook endpoint if not in use.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-06T16:02:29.333Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a34f83ef198dc38c1c2f531
Added to database: 6/19/2026, 8:05:18 AM
Last enriched: 6/19/2026, 8:20:05 AM
Last updated: 6/19/2026, 4:32:07 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.