CVE-2026-9027

MEDIUM

CVSS v3.1: 5.3

NetworkNo privilegesNo user interactionVendor advisory ref

Source data as of:

At a glance

Severity
MEDIUM
CVSS
5.3 v3.1 · NVD
EPSS
EPSS not provided by FIRST.org for this CVE
CISA KEV
No
Attack conditions (CVSS vector)
NetworkNo privilegesNo user interaction · Source: NVD Vector
Published
2026-07-09 · Modified: 2026-07-09

CVSS / EPSS / KEV

CVSS v3.1 5.3 / 10 MEDIUM Source: NVD
EPSS EPSS not provided by FIRST.org for this CVE Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The `corvuspay_success_handler` function registers the REST endpoint `POST /wp-json/corvuspay/success/` with `'permission_callback' => '__return_true'`, and while it calls `$this->client->validate->signature()` and stores the boolean result in `$res`, the result is never evaluated in a conditional — it is only written to the debug log — causing execution to unconditionally reach `$order->payment_complete()` regardless of whether the cryptographic signature is valid. This makes it possible for unauthenticated attackers to mark any pending WooCommerce order as fully paid by sending a POST request to the success endpoint containing an arbitrary or forged signature value, allowing them to obtain goods or services without payment. Because WooCommerce order IDs are sequential integers, target orders are trivially enumerable via the `order_number` POST parameter, requiring no prior knowledge of the victim order.

Record details

CVE ID
CVE-2026-9027
CVSS (v3.1)
5.3 (MEDIUM)
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability subscore
3.9
Impact subscore
1.4
CISA KEV
No
Weakness (CWE)
CWE-347
Affected configurations (CPE)
0
Published
2026-07-09
Modified
2026-07-09
Status
Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.