Authorization Bypass Vulnerability in Fortis for WooCommerce Plugin by WordPress
CVE-2026-0679

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Fortis For WooCommerce
Vendor: CVE Published:; 4 February 2026

What is CVE-2026-0679?

The Fortis for WooCommerce plugin for WordPress is susceptible to an authorization bypass due to an inverted nonce check in its 'check_fortis_notify_response' function. This vulnerability exists across all versions up to and including 1.2.0. It allows unauthenticated attackers to manipulate order statuses, effectively marking WooCommerce orders as paid or processed without any legitimate payment being received. This poses a significant risk to online merchants utilizing this plugin.

Affected Version(s)

Fortis for WooCommerce 0 <= 1.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fortis-for-woo...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 4, 2026
Vulnerability Reserved
Jan 7, 2026

Credit

Md. Moniruzzaman Prodhan

CVE-2026-0679 Data

JSON