Payment Bypass Vulnerability in CorvusPay WooCommerce Payment Gateway Plugin for WordPress
CVE-2026-9027

5.3MEDIUM

What is CVE-2026-9027?

The CorvusPay WooCommerce Payment Gateway plugin has a security flaw that allows attackers to bypass payment verification. Due to improper handling of cryptographic signature validation in the corvuspay_success_handler function, the plugin fails to conditionally check the validity of the payment signature. Instead, it logs the result without enforcing any access restrictions, thereby enabling unauthorized users to mark any order as paid by sending a crafted POST request to the REST endpoint. This flaw potentially allows attackers to exploit WooCommerce sites to receive goods or services without making actual payments.

Affected Version(s)

CorvusPay WooCommerce Payment Gateway 0 <= 2.7.4

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valatty
.