Payment Bypass Vulnerability in CorvusPay WooCommerce Payment Gateway Plugin for WordPress
CVE-2026-9027
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-9027?
The CorvusPay WooCommerce Payment Gateway plugin has a security flaw that allows attackers to bypass payment verification. Due to improper handling of cryptographic signature validation in the corvuspay_success_handler function, the plugin fails to conditionally check the validity of the payment signature. Instead, it logs the result without enforcing any access restrictions, thereby enabling unauthorized users to mark any order as paid by sending a crafted POST request to the REST endpoint. This flaw potentially allows attackers to exploit WooCommerce sites to receive goods or services without making actual payments.
Affected Version(s)
CorvusPay WooCommerce Payment Gateway 0 <= 2.7.4