BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation
Description
The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NTechnical Details
<=3.4.0Source Code
WordPress.org SVNThis plan outlines the research and exploitation strategy for **CVE-2026-0692**, a missing authorization vulnerability in the **BlueSnap Payment Gateway for WooCommerce** plugin. --- ### 1. Vulnerability Summary The BlueSnap Payment Gateway for WooCommerce plugin (up to version 3.4.0) fails to pro…
Show full research plan
This plan outlines the research and exploitation strategy for CVE-2026-0692, a missing authorization vulnerability in the BlueSnap Payment Gateway for WooCommerce plugin.
1. Vulnerability Summary
The BlueSnap Payment Gateway for WooCommerce plugin (up to version 3.4.0) fails to properly authorize Instant Payment Notification (IPN) requests. The plugin attempts to validate that the request originates from BlueSnap by checking the client's IP address against a whitelist. However, it uses the WooCommerce function WC_Geolocation::get_ip_address() to retrieve the client IP. This function is designed to be "proxy-aware" and trusts user-controlled HTTP headers such as X-Forwarded-For and X-Real-IP.
An unauthenticated attacker can spoof a whitelisted BlueSnap IP address by providing it in one of these headers. Once the IP check is bypassed, the attacker can send forged IPN data to manipulate WooCommerce order statuses (e.g., marking an unpaid order as "Completed" or "Processing").
2. Attack Vector Analysis
- Endpoint: The WooCommerce API endpoint for the BlueSnap gateway.
- Action: Typically registered via
add_action( 'woocommerce_api_wc_gateway_bluesnap', ... )(inferred). The URL format ishttps://victim.com/?wc-api=wc_gateway_bluesnap. - Method:
POST - Authentication: Unauthenticated.
- Headers:
X-Forwarded-FororX-Real-IPset to a BlueSnap IP address (e.g.,141.226.141.1). - Payload: Forged IPN parameters representing a successful transaction.
3. Code Flow (Inferred)
- Entry Point: A request hits
/?wc-api=wc_gateway_bluesnap. - Hook Execution: WooCommerce triggers the callback registered to
woocommerce_api_wc_gateway_bluesnap. - IP Validation:
- The plugin calls
WC_Geolocation::get_ip_address(). get_ip_address()returns the value fromX-Forwarded-For(if configured/available).- The plugin compares this value against a hardcoded or configured list of BlueSnap IPs (e.g.,
141.226.141.1 - 141.226.141.254).
- The plugin calls
- Order Lookup: The plugin extracts an Order ID from the POST data (e.g.,
merchantTransactionIdorcustom1). - Status Update: If the IP check passes, the plugin calls
$order->payment_complete()or$order->update_status(), effectively marking the order as paid without actual payment.
4. Nonce Acquisition Strategy
No nonce is required.
IPN endpoints are designed for server-to-server communication (BlueSnap servers to the WordPress server). Because BlueSnap cannot "know" a WordPress nonce, these endpoints almost never implement nonce protection. They rely entirely on IP whitelisting or shared secrets (which is missing or bypassed here).
5. Exploitation Strategy
Step 1: Discover the IPN Endpoint
The wc-api parameter must match the gateway ID.
- Check the plugin source for
add_action( 'woocommerce_api_...or search for the gateway class definition inheriting fromWC_Payment_Gateway. - Common ID:
bluesnaporwc_bluesnap_gateway.
Step 2: Prepare the Spoofing Header
Use one of the known BlueSnap IP ranges:
141.226.141.0/24141.226.142.0/24X-Forwarded-For: 141.226.141.50
Step 3: Craft the IPN Payload
BlueSnap IPNs use standard POST parameters. To mark an order as paid, the transactionType (or similar) must indicate a success.
- Inferred Parameters:
transactionType:CHARGEmerchantTransactionId:[TARGET_ORDER_ID]referenceNumber:[FAKE_TX_ID]status:Success
Step 4: Execute HTTP Request
Using the http_request tool:
{
"method": "POST",
"url": "http://localhost:8080/?wc-api=wc_gateway_bluesnap",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
"X-Forwarded-For": "141.226.141.1"
},
"body": "transactionType=CHARGE&merchantTransactionId=123&referenceNumber=999999&status=Success"
}
6. Test Data Setup
- Install WooCommerce: Ensure WooCommerce is active.
- Install Plugin: Install
bluesnap-payment-gateway-for-woocommerceversion 3.4.0. - Configure Gateway: Enable the BlueSnap gateway in WooCommerce settings (it may need dummy API keys to be "active").
- Create Order:
- Create a test product.
- Use
wp post createor the browser to place an order. - Note the Order ID (e.g., 123). The order should currently be in "Pending Payment" status.
7. Expected Results
- The HTTP response should be a
200 OK(often empty or a small confirmation string like "IPN Received"). - The order status in WooCommerce should transition from
pendingtoprocessingorcompleted.
8. Verification Steps
After sending the exploit request, verify via WP-CLI:
# Check the status of the order
wp wc order get 123 --fields=status,is_paid
# Check order notes to see if the IPN was recorded
wp wc order_note list 123
9. Alternative Approaches
- XML IPNs: Some versions of BlueSnap use XML payloads. If standard POST parameters fail, send an XML body with
Content-Type: application/xml. - Parameter Brute Force: If
merchantTransactionIdis not the correct parameter for the Order ID, search the plugin code for$order = wc_get_order(...)to find which$_POSTkey is used to fetch the order. Common candidates:custom1,vendorData,orderId. - Different Statuses: Test changing the status to
REFUNDto see if the plugin handles reversals without authorization as well.
Summary
The BlueSnap Payment Gateway for WooCommerce plugin is vulnerable to unauthorized order status manipulation due to improper IP address validation during IPN processing. By relying on WC_Geolocation::get_ip_address(), the plugin trusts user-controllable headers like X-Forwarded-For, allowing unauthenticated attackers to spoof whitelisted BlueSnap IPs and send forged payment notifications to mark orders as paid.
Vulnerable Code
// Inferred vulnerable code from BlueSnap gateway IPN handler public function check_ipn_request() { // The plugin uses a proxy-aware method that trusts HTTP headers $ip_address = WC_Geolocation::get_ip_address(); // Whitelist check against BlueSnap IP ranges if ( ! $this->is_bluesnap_ip( $ip_address ) ) { wp_die( 'IPN Request Failure: Invalid IP' ); } $this->handle_ipn_notification(); } private function handle_ipn_notification() { $order_id = sanitize_text_field( $_POST['merchantTransactionId'] ); $order = wc_get_order( $order_id ); if ( 'CHARGE' === $_POST['transactionType'] ) { $order->payment_complete(); } }
Security Fix
@@ -254,7 +254,7 @@ public function check_ipn_request() { - $ip_address = WC_Geolocation::get_ip_address(); + $ip_address = isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : ''; if ( ! $this->is_bluesnap_ip( $ip_address ) ) { wp_die( 'IPN Request Failure: Invalid IP', 'BlueSnap IPN', array( 'response' => 401 ) );
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker identifies a target order ID and sends a POST request to the plugin's IPN endpoint, typically `/?wc-api=wc_gateway_bluesnap`. The attacker includes a spoofed IP address in the `X-Forwarded-For` or `X-Real-IP` header (e.g., `141.226.141.1`) to bypass the plugin's IP allowlist check, which incorrectly trusts these headers via `WC_Geolocation::get_ip_address()`. The request body contains forged BlueSnap IPN parameters such as `transactionType=CHARGE` and `merchantTransactionId=[TARGET_ORDER_ID]`, which triggers the plugin to update the WooCommerce order status to 'Processing' or 'Completed' without actual payment.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.