Authorization Bypass in CorvusPay WooCommerce Payment Gateway Plugin for WordPress
CVE-2026-9028

5.3MEDIUM

What is CVE-2026-9028?

The CorvusPay WooCommerce Payment Gateway plugin for WordPress has a vulnerability allowing unauthorized users to cancel any WooCommerce order processed through the CorvusPay payment method. This flaw arises from inadequate verification of user permissions when performing cancelation actions via the /wp-json/corvuspay/cancel/ REST endpoint. As a result, an attacker can exploit this vulnerability by simply providing a valid order number, leading to potential financial loss for affected e-commerce sites and impacting overall trust in payment processing security.

Affected Version(s)

CorvusPay WooCommerce Payment Gateway 0 <= 2.7.4

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valatty
.