Improper Signature Verification Vulnerability in Payment Gateway for Redsys and WooCommerce Lite Plugin
CVE-2026-5050

7.5HIGH

Key Information:

Vendor: WordPress
Status: Payment Gateway For Redsys & WooCommerce Lite
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-5050?

The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress contains a vulnerability that allows unauthenticated attackers to manipulate payment statuses. Specifically, the plugin fails to properly validate the Ds_Signature from incoming requests during successful_request() handling. This deficiency enables attackers to forge payment callback data, which can lead to unauthorized orders being marked as paid without the appropriate payment being processed. This vulnerability affects versions up to and including 7.0.0 and poses a significant risk to e-commerce operations utilizing this plugin with payment systems such as Redsys, Bizum, and Google Pay.

Affected Version(s)

Payment Gateway for Redsys & WooCommerce Lite 0 <= 7.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3501998/woo-...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Mar 27, 2026

Credit

Nguyen Ngoc Duc

CVE-2026-5050 Data

JSON