iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure
Description
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NTechnical Details
<=2.0.2Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-0656 ## 1. Vulnerability Summary The **iPaymu Payment Gateway for WooCommerce** plugin (versions <= 2.0.2) contains a critical missing authentication and authorization vulnerability within its webhook processing logic, specifically the `check_ipaymu_response` …
Show full research plan
Exploitation Research Plan: CVE-2026-0656
1. Vulnerability Summary
The iPaymu Payment Gateway for WooCommerce plugin (versions <= 2.0.2) contains a critical missing authentication and authorization vulnerability within its webhook processing logic, specifically the check_ipaymu_response function.
The plugin fails to verify the authenticity of incoming requests (missing signature verification, IP whitelisting, or secret tokens). This allows unauthenticated attackers to:
- Bypass Payment: Mark any WooCommerce order as "Processing" or "Completed" by sending a forged POST request mimicking a successful payment notification.
- Information Disclosure: Enumerate valid order IDs and retrieve sensitive Order Keys and customer PII (names, addresses, phone numbers) via crafted GET requests to the callback endpoint.
2. Attack Vector Analysis
- Endpoint: The vulnerability is reachable via the WooCommerce API callback mechanism.
- Inferred URL:
http://[target]/index.php?wc-api=WC_Gateway_Ipaymu(or similar, depending on the gateway class ID).
- Inferred URL:
- HTTP Methods:
GET: Used for order enumeration and PII disclosure.POST: Used for payment status manipulation.
- Authentication: None required (Unauthenticated).
- Preconditions:
- The plugin must be active.
- At least one WooCommerce order must exist in the system for PII disclosure.
3. Code Flow (Inferred)
- Registration: The plugin registers a callback using the
woocommerce_api_{gateway_id}hook (likelywoocommerce_api_wc_gateway_ipaymu). - Entry Point: When a request hits
?wc-api=WC_Gateway_Ipaymu, WooCommerce invokes thecheck_ipaymu_response()method. - Vulnerable Logic:
- The function retrieves parameters from
$_GETor$_POST(e.g.,sid,status,reference). - It likely loads the order using
$order = wc_get_order( $_GET['sid'] )or similar. - The Sink (Info Disclosure): If the request is a
GET, the function may output order details for "verification" purposes without checking if the requester is iPaymu or the order owner. - The Sink (Payment Bypass): If the request is a
POSTand containsstatus=berhasil(orsuccess), it calls$order->payment_complete()or$order->update_status('processing')without validating a signature.
- The function retrieves parameters from
4. Nonce Acquisition Strategy
According to the CVE description, this vulnerability involves Missing Authentication on a webhook/callback endpoint.
- Nonce Requirement: Webhook endpoints designed to receive asynchronous notifications from third-party servers (like iPaymu) do not use WordPress nonces, as the external server cannot know the nonce value.
- Conclusion: No nonce is required for this exploit.
5. Exploitation Strategy
Phase 1: Information Disclosure & Order Enumeration
The goal is to find valid Order IDs and their corresponding Order Keys.
- Request Type: GET
- Target URL:
http://[target]/?wc-api=WC_Gateway_Ipaymu&sid=[ORDER_ID] - Payload: Iterate
sidfrom 1 upwards. - Expected Response: The plugin may return JSON or HTML containing the
order_keyor full PII. - PII Access: Once the
order_keyis obtained, the full order details (Address, Email, Phone) can be accessed via the standard WooCommerce "Order Received" page:http://[target]/checkout/order-received/[ORDER_ID]/?key=[ORDER_KEY]
Phase 2: Unauthenticated Payment Bypass
The goal is to change an order status from "Pending Payment" to "Processing".
- Request Type: POST
- Target URL:
http://[target]/?wc-api=WC_Gateway_Ipaymu - Content-Type:
application/x-www-form-urlencoded - Parameters (Based on iPaymu API):
sid: The target Order ID.status:berhasil(common iPaymu "success" indicator) orsuccess.reference: Any dummy string.
- Expected Response: A
200 OKresponse, potentially with the textOKor a confirmation message.
6. Test Data Setup
- Install WooCommerce: Ensure WooCommerce is active.
- Install Plugin: Install
ipaymu-for-woocommerceversion 2.0.2. - Create Product: Create a simple product priced at $100.
- Place Order: As a guest user, place an order for the product. Note the Order ID (e.g.,
123). - Verify Initial State: Use WP-CLI to confirm the order status is
pending:wp wc order get 123 --field=status
7. Expected Results
- Exploit Success (Info): The GET request to the callback endpoint returns a response containing the string
order_keyor customer data. - Exploit Success (Bypass): After the POST request, the order status in WooCommerce changes from
pendingtoprocessingorcompleted.
8. Verification Steps
- Check Order Status via WP-CLI:
wp wc order get [ORDER_ID] --field=status
Result should beprocessing. - Verify Order Note:
wp wc order_note list [ORDER_ID]
Check if a note was added indicating payment was successful via iPaymu. - PII Access Confirmation:
Access the "Order Received" URL derived in Phase 1 and confirm that names, addresses, and product details are visible.
9. Alternative Approaches
If ?wc-api=WC_Gateway_Ipaymu does not respond:
- Check Plugin Source for ID: Search the plugin files for
add_action( 'woocommerce_api_to find the exact gateway ID used in the hook. - Vary Parameters: If
sidfails, tryid,order_id, ortrx_idbased on iPaymu's different API versions (some usesidfor "Session ID" which maps to the order). - Direct File Access: Check if
ipaymu-for-woocommerce/callback.php(or similar) exists and can be called directly, as some older gateways bypass thewc-apiwrapper.
Summary
The iPaymu Payment Gateway for WooCommerce plugin is vulnerable to unauthenticated payment bypass and sensitive information disclosure via its webhook endpoint. Because the plugin fails to verify the authenticity of incoming requests (missing signature or origin checks), an attacker can forge payment success notifications to mark orders as paid or enumerate order IDs to retrieve customer PII.
Vulnerable Code
/* ipaymu-for-woocommerce/class-wc-gateway-ipaymu.php */ public function check_ipaymu_response() { $sid = $_GET['sid']; $order = wc_get_order( $sid ); if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) { if ( isset( $_POST['status'] ) && $_POST['status'] == 'berhasil' ) { $order->payment_complete( $_POST['reference'] ); $order->add_order_note( __( 'iPaymu payment completed', 'ipaymu-for-woocommerce' ) ); exit; } } else { // Unauthenticated disclosure of order details echo json_encode( $order->get_data() ); exit; } }
Security Fix
@@ -10,6 +10,14 @@ $sid = $_GET['sid']; $order = wc_get_order( $sid ); + $received_signature = $_POST['signature']; + $api_key = $this->get_option( 'api_key' ); + $expected_signature = hash_hmac( 'sha256', $sid . $_POST['status'], $api_key ); + + if ( ! hash_equals( $expected_signature, $received_signature ) ) { + wp_die( 'Invalid signature', 'Unauthorized', array( 'response' => 401 ) ); + } + if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) { if ( isset( $_POST['status'] ) && $_POST['status'] == 'berhasil' ) { $order->payment_complete( $_POST['reference'] );
Exploit Outline
The exploit targets the WooCommerce API callback endpoint for the iPaymu gateway (typically `/?wc-api=WC_Gateway_Ipaymu`). 1. Information Disclosure: An unauthenticated attacker sends a GET request to the endpoint with a guessed `sid` parameter (order ID). Because there is no authentication, the server returns the order's JSON data, including the order key and customer PII (name, address, email). 2. Payment Bypass: The attacker sends a POST request to the same endpoint. The payload includes `sid` (the target order ID) and `status=berhasil`. Since the plugin does not verify if the request originated from iPaymu or check a cryptographic signature, it invokes `$order->payment_complete()`, marking the order as paid without an actual transaction occurring.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.