CVE-2026-0656

8.2 HIGH

Authentication Bypass

📋 TL;DR

The iPaymu Payment Gateway for WooCommerce WordPress plugin has a missing authentication vulnerability that allows unauthenticated attackers to mark orders as paid without actual payment and enumerate order details. This affects all WordPress sites using the plugin up to version 2.0.2. Attackers can manipulate payment statuses and access customer personal information including names, addresses, and purchase history.

💻 Affected Systems

Products:

• iPaymu Payment Gateway for WooCommerce WordPress plugin

Versions: All versions up to and including 2.0.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with WooCommerce and the iPaymu plugin enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could mark all orders as paid without payment, causing significant financial loss, while also exfiltrating all customer PII including names, addresses, and purchase history, leading to data breaches and regulatory penalties.

🟠

Likely Case

Attackers will mark fraudulent orders as paid to obtain goods without payment and harvest customer data for phishing or identity theft campaigns.

🟢

If Mitigated

With proper webhook authentication and network controls, impact is limited to attempted attacks that are blocked or logged.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the webhook endpoint with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429657%40ipaymu-for-woocommerce&new=3429657%40ipaymu-for-woocommerce

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'iPaymu Payment Gateway for WooCommerce'. 4. Click 'Update Now' if available. 5. If not, download version 2.0.3+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Block Webhook Endpoint

all

Temporarily block access to the vulnerable webhook endpoint via web server configuration.

Copy

# For Apache: add to .htaccess
RewriteRule ^wp-content/plugins/ipaymu-for-woocommerce/.*\.php$ - [F,L]
# For Nginx: add to server block
location ~ ^/wp-content/plugins/ipaymu-for-woocommerce/.*\.php$ { deny all; }

Disable Plugin

linux

Temporarily disable the iPaymu plugin until patched.

Copy

# Via wp-cli
wp plugin deactivate ipaymu-for-woocommerce

🧯 If You Can't Patch

• Implement WAF rules to block suspicious requests to the iPaymu webhook endpoint.
• Monitor web server logs for unauthorized access attempts to the plugin's webhook URLs.

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel > Plugins > Installed Plugins for iPaymu Payment Gateway version. If version is 2.0.2 or lower, you are vulnerable.

Check Version:

Copy

wp plugin get ipaymu-for-woocommerce --field=version

Verify Fix Applied:

Copy

After updating, verify the plugin version shows 2.0.3 or higher in WordPress admin. Test webhook functionality with iPaymu's test suite if available.

📡 Detection & Monitoring

Log Indicators:

• HTTP POST requests to /wp-content/plugins/ipaymu-for-woocommerce/ with order manipulation parameters
• GET requests to webhook endpoint with order_id parameters from unexpected IPs
• Multiple order status changes to 'completed' without corresponding payment records

Network Indicators:

• Unusual traffic patterns to plugin webhook endpoints
• Requests from IPs not associated with iPaymu payment gateway

SIEM Query:

Copy

source="web_server_logs" AND (uri_path="/wp-content/plugins/ipaymu-for-woocommerce/" AND (http_method="POST" OR http_method="GET") AND NOT src_ip IN [iPaymu_IPs])

📊 Metadata

CVE ID: CVE-2026-0656

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-862

EPSS Score: 0.26% exploit probability (48.7th percentile)

Published: January 7, 2026

Last Updated: January 8, 2026

🔗 References

• https://plugins.trac.wordpress.org/browser/ipaymu-for-woocommerce/tags/2.0.2/gateway.php?marks=316-336,370-380#L316
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429657%40ipaymu-for-woocommerce&new=3429657%40ipaymu-for-woocommerce
• https://www.wordfence.com/threat-intel/vulnerabilities/id/7e639aed-ec67-4212-9051-1f7465bbfde2?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0656, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)

CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)

CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)