CVE-2026-0692

BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation

highMissing Authorization
7.5
CVSS Score
7.5
CVSS Score
high
Severity
3.4.1
Patched in
21d
Time to patch

Description

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=3.4.0
PublishedFebruary 13, 2026
Last updatedMarch 6, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the research and exploitation strategy for **CVE-2026-0692**, a missing authorization vulnerability in the **BlueSnap Payment Gateway for WooCommerce** plugin. --- ### 1. Vulnerability Summary The BlueSnap Payment Gateway for WooCommerce plugin (up to version 3.4.0) fails to pro…

Show full research plan

This plan outlines the research and exploitation strategy for CVE-2026-0692, a missing authorization vulnerability in the BlueSnap Payment Gateway for WooCommerce plugin.


1. Vulnerability Summary

The BlueSnap Payment Gateway for WooCommerce plugin (up to version 3.4.0) fails to properly authorize Instant Payment Notification (IPN) requests. The plugin attempts to validate that the request originates from BlueSnap by checking the client's IP address against a whitelist. However, it uses the WooCommerce function WC_Geolocation::get_ip_address() to retrieve the client IP. This function is designed to be "proxy-aware" and trusts user-controlled HTTP headers such as X-Forwarded-For and X-Real-IP.

An unauthenticated attacker can spoof a whitelisted BlueSnap IP address by providing it in one of these headers. Once the IP check is bypassed, the attacker can send forged IPN data to manipulate WooCommerce order statuses (e.g., marking an unpaid order as "Completed" or "Processing").

2. Attack Vector Analysis

  • Endpoint: The WooCommerce API endpoint for the BlueSnap gateway.
  • Action: Typically registered via add_action( 'woocommerce_api_wc_gateway_bluesnap', ... ) (inferred). The URL format is https://victim.com/?wc-api=wc_gateway_bluesnap.
  • Method: POST
  • Authentication: Unauthenticated.
  • Headers: X-Forwarded-For or X-Real-IP set to a BlueSnap IP address (e.g., 141.226.141.1).
  • Payload: Forged IPN parameters representing a successful transaction.

3. Code Flow (Inferred)

  1. Entry Point: A request hits /?wc-api=wc_gateway_bluesnap.
  2. Hook Execution: WooCommerce triggers the callback registered to woocommerce_api_wc_gateway_bluesnap.
  3. IP Validation:
    • The plugin calls WC_Geolocation::get_ip_address().
    • get_ip_address() returns the value from X-Forwarded-For (if configured/available).
    • The plugin compares this value against a hardcoded or configured list of BlueSnap IPs (e.g., 141.226.141.1 - 141.226.141.254).
  4. Order Lookup: The plugin extracts an Order ID from the POST data (e.g., merchantTransactionId or custom1).
  5. Status Update: If the IP check passes, the plugin calls $order->payment_complete() or $order->update_status(), effectively marking the order as paid without actual payment.

4. Nonce Acquisition Strategy

No nonce is required.
IPN endpoints are designed for server-to-server communication (BlueSnap servers to the WordPress server). Because BlueSnap cannot "know" a WordPress nonce, these endpoints almost never implement nonce protection. They rely entirely on IP whitelisting or shared secrets (which is missing or bypassed here).

5. Exploitation Strategy

Step 1: Discover the IPN Endpoint

The wc-api parameter must match the gateway ID.

  • Check the plugin source for add_action( 'woocommerce_api_... or search for the gateway class definition inheriting from WC_Payment_Gateway.
  • Common ID: bluesnap or wc_bluesnap_gateway.

Step 2: Prepare the Spoofing Header

Use one of the known BlueSnap IP ranges:

  • 141.226.141.0/24
  • 141.226.142.0/24
  • X-Forwarded-For: 141.226.141.50

Step 3: Craft the IPN Payload

BlueSnap IPNs use standard POST parameters. To mark an order as paid, the transactionType (or similar) must indicate a success.

  • Inferred Parameters:
    • transactionType: CHARGE
    • merchantTransactionId: [TARGET_ORDER_ID]
    • referenceNumber: [FAKE_TX_ID]
    • status: Success

Step 4: Execute HTTP Request

Using the http_request tool:

{
  "method": "POST",
  "url": "http://localhost:8080/?wc-api=wc_gateway_bluesnap",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded",
    "X-Forwarded-For": "141.226.141.1"
  },
  "body": "transactionType=CHARGE&merchantTransactionId=123&referenceNumber=999999&status=Success"
}

6. Test Data Setup

  1. Install WooCommerce: Ensure WooCommerce is active.
  2. Install Plugin: Install bluesnap-payment-gateway-for-woocommerce version 3.4.0.
  3. Configure Gateway: Enable the BlueSnap gateway in WooCommerce settings (it may need dummy API keys to be "active").
  4. Create Order:
    • Create a test product.
    • Use wp post create or the browser to place an order.
    • Note the Order ID (e.g., 123). The order should currently be in "Pending Payment" status.

7. Expected Results

  • The HTTP response should be a 200 OK (often empty or a small confirmation string like "IPN Received").
  • The order status in WooCommerce should transition from pending to processing or completed.

8. Verification Steps

After sending the exploit request, verify via WP-CLI:

# Check the status of the order
wp wc order get 123 --fields=status,is_paid

# Check order notes to see if the IPN was recorded
wp wc order_note list 123

9. Alternative Approaches

  • XML IPNs: Some versions of BlueSnap use XML payloads. If standard POST parameters fail, send an XML body with Content-Type: application/xml.
  • Parameter Brute Force: If merchantTransactionId is not the correct parameter for the Order ID, search the plugin code for $order = wc_get_order(...) to find which $_POST key is used to fetch the order. Common candidates: custom1, vendorData, orderId.
  • Different Statuses: Test changing the status to REFUND to see if the plugin handles reversals without authorization as well.
Research Findings
Static analysis — not yet PoC-verified

Summary

The BlueSnap Payment Gateway for WooCommerce plugin is vulnerable to unauthorized order status manipulation due to improper IP address validation during IPN processing. By relying on WC_Geolocation::get_ip_address(), the plugin trusts user-controllable headers like X-Forwarded-For, allowing unauthenticated attackers to spoof whitelisted BlueSnap IPs and send forged payment notifications to mark orders as paid.

Vulnerable Code

// Inferred vulnerable code from BlueSnap gateway IPN handler

public function check_ipn_request() {
    // The plugin uses a proxy-aware method that trusts HTTP headers
    $ip_address = WC_Geolocation::get_ip_address();

    // Whitelist check against BlueSnap IP ranges
    if ( ! $this->is_bluesnap_ip( $ip_address ) ) {
        wp_die( 'IPN Request Failure: Invalid IP' );
    }

    $this->handle_ipn_notification();
}

private function handle_ipn_notification() {
    $order_id = sanitize_text_field( $_POST['merchantTransactionId'] );
    $order    = wc_get_order( $order_id );

    if ( 'CHARGE' === $_POST['transactionType'] ) {
        $order->payment_complete();
    }
}

Security Fix

--- a/includes/class-wc-bluesnap-gateway.php
+++ b/includes/class-wc-bluesnap-gateway.php
@@ -254,7 +254,7 @@
     public function check_ipn_request() {
-        $ip_address = WC_Geolocation::get_ip_address();
+        $ip_address = isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : '';
 
         if ( ! $this->is_bluesnap_ip( $ip_address ) ) {
             wp_die( 'IPN Request Failure: Invalid IP', 'BlueSnap IPN', array( 'response' => 401 ) );

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker identifies a target order ID and sends a POST request to the plugin's IPN endpoint, typically `/?wc-api=wc_gateway_bluesnap`. The attacker includes a spoofed IP address in the `X-Forwarded-For` or `X-Real-IP` header (e.g., `141.226.141.1`) to bypass the plugin's IP allowlist check, which incorrectly trusts these headers via `WC_Geolocation::get_ip_address()`. The request body contains forged BlueSnap IPN parameters such as `transactionType=CHARGE` and `merchantTransactionId=[TARGET_ORDER_ID]`, which triggers the plugin to update the WooCommerce order status to 'Processing' or 'Completed' without actual payment.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.