CVE-2026-0656 in Payment Gateway for WooCommerce Plugin
Summary
by MITRE • 01/07/2026
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/07/2026
The iPaymu Payment Gateway for WooCommerce plugin presents a critical security vulnerability classified as CVE-2026-0656, affecting all versions up to and including 2.0.2. This vulnerability stems from a fundamental flaw in the plugin's webhook handling mechanism, specifically within the 'check_ipaymu_response' function that fails to implement proper authentication checks. The absence of signature verification or origin validation creates a pathway for malicious actors to exploit the payment processing system without legitimate authorization. This weakness aligns with CWE-306, which addresses missing authentication mechanisms, and represents a severe oversight in the plugin's security architecture that directly undermines the integrity of the WooCommerce payment ecosystem.
The technical implementation of this vulnerability allows attackers to manipulate the payment status of WooCommerce orders through crafted POST requests sent to the webhook endpoint. The lack of webhook authenticity validation means that any attacker who can determine the webhook URL can submit fake payment notifications that will be accepted by the system, resulting in orders being marked as paid without any actual transaction occurring. Additionally, the vulnerability extends beyond payment manipulation to include information disclosure through GET requests that can enumerate order IDs and extract valid order keys. This dual nature of the vulnerability enables both financial fraud and privacy breaches, making it particularly dangerous for e-commerce operations that handle sensitive customer data.
The operational impact of CVE-2026-0656 extends far beyond simple payment fraud, as it exposes significant customer PII including names, addresses, and detailed product purchase information. Attackers can systematically enumerate order information through GET requests, building comprehensive profiles of customer purchasing behavior and personal details. This exposure creates risks for identity theft, targeted fraud, and privacy violations that could result in regulatory penalties under data protection frameworks such as gdpr and ccpa. The vulnerability essentially provides attackers with a backdoor into the customer order database, allowing them to harvest sensitive information while simultaneously enabling unauthorized payment processing that could result in financial losses for merchants.
Mitigation strategies for this vulnerability must address both the immediate authentication gap and the broader security architecture issues within the plugin. The most effective immediate solution involves implementing proper webhook signature verification using cryptographic hashes or digital signatures to validate request authenticity before processing payment status changes. Additionally, the plugin should enforce strict origin validation to ensure webhook requests come from legitimate sources only. Organizations should also implement rate limiting and monitoring of webhook endpoints to detect anomalous activity patterns. According to ATT&CK framework, this vulnerability maps to T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) when attackers use enumeration techniques, and T1499.004 (Network Denial of Service) when abuse occurs. Regular security audits and prompt patch management are essential to prevent exploitation, with merchants urged to upgrade to versions that address this vulnerability as soon as possible to protect their customers and maintain compliance with industry security standards.