Authorization Bypass in CorvusPay WooCommerce Payment Gateway Plugin for WordPress
CVE-2026-9028
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-9028?
The CorvusPay WooCommerce Payment Gateway plugin for WordPress has a vulnerability allowing unauthorized users to cancel any WooCommerce order processed through the CorvusPay payment method. This flaw arises from inadequate verification of user permissions when performing cancelation actions via the /wp-json/corvuspay/cancel/ REST endpoint. As a result, an attacker can exploit this vulnerability by simply providing a valid order number, leading to potential financial loss for affected e-commerce sites and impacting overall trust in payment processing security.
Affected Version(s)
CorvusPay WooCommerce Payment Gateway 0 <= 2.7.4