CVE-2026-5050: CWE-347 Improper Verification of Cryptographic Signature in jconti Payment Gateway for Redsys & WooCommerce Lite
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.
AI Analysis
Technical Summary
CVE-2026-5050 describes a cryptographic signature verification weakness (CWE-347) in the Payment Gateway for Redsys & WooCommerce Lite WordPress plugin versions up to 7.0.0. The vulnerability arises because the plugin's successful_request() handlers do not validate the Ds_Signature field from payment gateway callbacks, despite calculating a local signature. This improper verification enables attackers to forge payment callback data and change order statuses to paid without legitimate payment confirmation. The issue affects Redsys, Bizum, and Google Pay gateway flows within the plugin.
Potential Impact
An attacker with knowledge of a valid order key and order amount can exploit this vulnerability to mark pending orders as paid without completing an actual payment transaction. This can result in unauthorized checkout completions and the fulfillment of products or services without financial exchange, causing direct financial loss to merchants using the affected plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch has been published at this time. Until a patch is available, users should consider disabling the affected payment gateway plugin or implementing additional verification controls outside the plugin to validate payment callbacks. Monitor vendor channels for updates and apply official fixes promptly once released.
CVE-2026-5050: CWE-347 Improper Verification of Cryptographic Signature in jconti Payment Gateway for Redsys & WooCommerce Lite
Description
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5050 describes a cryptographic signature verification weakness (CWE-347) in the Payment Gateway for Redsys & WooCommerce Lite WordPress plugin versions up to 7.0.0. The vulnerability arises because the plugin's successful_request() handlers do not validate the Ds_Signature field from payment gateway callbacks, despite calculating a local signature. This improper verification enables attackers to forge payment callback data and change order statuses to paid without legitimate payment confirmation. The issue affects Redsys, Bizum, and Google Pay gateway flows within the plugin.
Potential Impact
An attacker with knowledge of a valid order key and order amount can exploit this vulnerability to mark pending orders as paid without completing an actual payment transaction. This can result in unauthorized checkout completions and the fulfillment of products or services without financial exchange, causing direct financial loss to merchants using the affected plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch has been published at this time. Until a patch is available, users should consider disabling the affected payment gateway plugin or implementing additional verification controls outside the plugin to validate payment callbacks. Monitor vendor channels for updates and apply official fixes promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-27T16:53:47.167Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e077cf82d89c981f4f92a4
Added to database: 4/16/2026, 5:46:55 AM
Last enriched: 4/16/2026, 6:02:00 AM
Last updated: 4/18/2026, 7:16:14 AM
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.