CVE-2026-9027 in CorvusPay WooCommerce Payment Gateway Plugin
Summary
by MITRE • 07/09/2026
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The `corvuspay_success_handler` function registers the REST endpoint `POST /wp-json/corvuspay/success/` with `'permission_callback' => '__return_true'`, and while it calls `$this->client->validate->signature()` and stores the boolean result in `$res`, the result is never evaluated in a conditional — it is only written to the debug log — causing execution to unconditionally reach `$order->payment_complete()` regardless of whether the cryptographic signature is valid. This makes it possible for unauthenticated attackers to mark any pending WooCommerce order as fully paid by sending a POST request to the success endpoint containing an arbitrary or forged signature value, allowing them to obtain goods or services without payment. Because WooCommerce order IDs are sequential integers, target orders are trivially enumerable via the `order_number` POST parameter, requiring no prior knowledge of the victim order.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in the CorvusPay WooCommerce Payment Gateway plugin represents a critical security flaw that undermines the payment verification process through improper cryptographic signature validation. This issue affects all versions up to and including 2.7.4, creating a pathway for unauthorized transaction completion that directly compromises the integrity of e-commerce transactions within WordPress environments. The root cause lies in the implementation of the `corvuspay_success_handler` function which registers a REST endpoint at `POST /wp-json/corvuspay/success/` with insufficient permission controls. The function correctly initiates cryptographic signature validation by calling `$this->client->validate->signature()` and stores the boolean result in `$res`, however, this validation outcome is never utilized in any conditional logic to determine whether the payment should proceed.
The operational impact of this vulnerability extends beyond simple security compromise as it enables attackers to execute a payment bypass attack without requiring authentication or authorization. The flaw occurs because the cryptographic signature verification result is merely logged to debug output rather than being evaluated for conditional execution, allowing the code flow to unconditionally reach `$order->payment_complete()` regardless of signature validity. This creates an arbitrary order completion vulnerability where malicious actors can manipulate WooCommerce orders by sending crafted POST requests to the exposed endpoint. The attack vector becomes particularly dangerous due to the sequential nature of WooCommerce order IDs, which are easily enumerable through the `order_number` POST parameter without requiring any prior knowledge of specific order details or victim information.
This vulnerability directly maps to CWE-347, which addresses improper verification of cryptographic signatures, and aligns with ATT&CK technique T1566.002 for credential access through exploitation of web applications. The flaw demonstrates a classic case of insufficient input validation where the system accepts potentially malicious data without proper authorization checks. Attackers can leverage this vulnerability to gain unauthorized access to goods or services by simply constructing a valid POST request with an arbitrary signature value, effectively circumventing the entire payment verification mechanism. The security implications are severe as it allows for automated exploitation through simple network requests that could be executed at scale, potentially leading to significant financial losses for affected merchants and compromising customer trust in the payment ecosystem.
Mitigation strategies should focus on implementing proper permission controls and conditional execution based on cryptographic validation results. The immediate fix requires modifying the `corvuspay_success_handler` function to properly evaluate the signature validation result stored in `$res` before proceeding with order completion. Additionally, the REST endpoint registration should be updated to require proper authentication through WordPress's built-in authorization mechanisms rather than using `'permission_callback' => '__return_true'`. The plugin developers must also implement proper input sanitization and validation for all incoming parameters, particularly the `order_number` field, to prevent enumeration attacks. Organizations should consider implementing network-level restrictions on access to REST endpoints and monitor for unusual patterns of payment completion requests that could indicate exploitation attempts. Regular security audits of WordPress plugins and adherence to secure coding practices, including proper error handling and validation procedures, are essential to prevent similar vulnerabilities from occurring in other components of the e-commerce infrastructure.