Access Control Flaw in Eupago Gateway for WooCommerce Plugin by WordPress
CVE-2026-7862

Currently unrated

Key Information:

Vendor: WordPress
Status: Eupago Gateway For WooCommerce
Vendor: CVE Published:; 28 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7862?

The Eupago Gateway for WooCommerce plugin prior to version 4.7.2 features a significant security flaw where access control mechanisms are inadequately enforced. This allows unauthorized individuals to exploit the refund request handler, enabling them to initiate refunds on any WooCommerce order. Through this vulnerability, attackers can manipulate the merchant's payment gateway credentials and potentially redirect refunded amounts to bank accounts they control. It is crucial for WooCommerce users employing the Eupago Gateway plugin to update to the latest version to safeguard their transactions and financial assets.

Affected Version(s)

Eupago Gateway For Woocommerce 0 < 4.7.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7862 - Proof of Concept

References

https://wpscan.com/vulnerability/b4ce2a06-b435-4b77-851f-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 28, 2026
👾
Exploit known to exist
May 28, 2026
Vulnerability published
May 28, 2026
Vulnerability Reserved
May 5, 2026

Credit

Pedro Pinho

WPScan

CVE-2026-7862 Data

JSON