CVE-2024-0626 in WooCommerce Clover Payment Gateway Plugininfo

Summary

by MITRE • 04/09/2024

The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/14/2026

The vulnerability identified as CVE-2024-0626 affects the WooCommerce Clover Payment Gateway plugin for WordPress, representing a critical security flaw that undermines the integrity of e-commerce transactions. This issue stems from a fundamental lack of proper access control mechanisms within the plugin's callback_handler function, which processes payment notifications from the Clover payment processing system. The absence of capability checks means that any unauthenticated attacker can exploit this weakness to manipulate order status, specifically marking orders as paid without proper authorization. This vulnerability exists across all versions of the plugin up to and including version 1.3.1, making it a widespread concern for WordPress e-commerce sites that rely on this payment processing solution.

The technical implementation of this flaw lies in the callback_handler function's failure to verify user permissions before executing critical operations. According to CWE-284, this represents an improper access control vulnerability where the system does not properly enforce authorization checks. The function processes incoming payment notifications from Clover's payment gateway and updates order statuses accordingly, but it lacks any authentication verification or capability validation. An attacker can simply send a crafted HTTP request to the plugin's callback endpoint with malicious parameters that trigger the order status modification, bypassing all normal WordPress authentication flows. This allows unauthorized parties to manipulate order data, potentially leading to financial loss and operational disruption for merchants.

The operational impact of this vulnerability extends beyond simple data manipulation, creating significant risks for online businesses operating through WordPress with WooCommerce. Unauthenticated attackers can exploit this weakness to mark orders as paid, potentially leading to revenue loss, inventory discrepancies, and fraudulent transactions. The vulnerability is particularly dangerous because it operates at the payment processing level where financial data and order integrity are paramount. Attackers could use this to create false payments, manipulate order histories, or even generate false revenue reports that could impact business operations, accounting systems, and customer trust. The lack of authentication requirements means that this vulnerability can be exploited through automated tools, making it a high-impact threat for any site using the affected plugin version.

Mitigation strategies for CVE-2024-0626 should prioritize immediate plugin updates to the latest available version where the capability check has been implemented. Organizations should also implement network-level protections such as rate limiting on payment callback endpoints and monitoring for unusual patterns in payment status changes. According to ATT&CK framework category T1071.004, this vulnerability represents a technique for Application Layer Protocol manipulation where attackers exploit weaknesses in payment processing systems. Security teams should conduct comprehensive audits of all installed plugins for similar access control issues, particularly those handling financial transactions. Additional protective measures include implementing webhook signature validation, restricting access to callback endpoints through IP whitelisting, and establishing automated monitoring for unauthorized order status modifications. Regular security assessments of e-commerce platforms should include verification of proper capability checks in payment processing functions to prevent similar vulnerabilities from being introduced in the future.

Responsible

Wordfence

Reservation

01/16/2024

Disclosure

04/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00641

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!