CVE-2026-0656

iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure

highMissing Authorization
8.2
CVSS Score
8.2
CVSS Score
high
Severity
2.0.3
Patched in
1d
Time to patch

Description

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.2
PublishedJanuary 6, 2026
Last updatedJanuary 7, 2026
Affected pluginipaymu-for-woocommerce

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-0656 ## 1. Vulnerability Summary The **iPaymu Payment Gateway for WooCommerce** plugin (versions <= 2.0.2) contains a critical missing authentication and authorization vulnerability within its webhook processing logic, specifically the `check_ipaymu_response` …

Show full research plan

Exploitation Research Plan: CVE-2026-0656

1. Vulnerability Summary

The iPaymu Payment Gateway for WooCommerce plugin (versions <= 2.0.2) contains a critical missing authentication and authorization vulnerability within its webhook processing logic, specifically the check_ipaymu_response function.

The plugin fails to verify the authenticity of incoming requests (missing signature verification, IP whitelisting, or secret tokens). This allows unauthenticated attackers to:

  1. Bypass Payment: Mark any WooCommerce order as "Processing" or "Completed" by sending a forged POST request mimicking a successful payment notification.
  2. Information Disclosure: Enumerate valid order IDs and retrieve sensitive Order Keys and customer PII (names, addresses, phone numbers) via crafted GET requests to the callback endpoint.

2. Attack Vector Analysis

  • Endpoint: The vulnerability is reachable via the WooCommerce API callback mechanism.
    • Inferred URL: http://[target]/index.php?wc-api=WC_Gateway_Ipaymu (or similar, depending on the gateway class ID).
  • HTTP Methods:
    • GET: Used for order enumeration and PII disclosure.
    • POST: Used for payment status manipulation.
  • Authentication: None required (Unauthenticated).
  • Preconditions:
    • The plugin must be active.
    • At least one WooCommerce order must exist in the system for PII disclosure.

3. Code Flow (Inferred)

  1. Registration: The plugin registers a callback using the woocommerce_api_{gateway_id} hook (likely woocommerce_api_wc_gateway_ipaymu).
  2. Entry Point: When a request hits ?wc-api=WC_Gateway_Ipaymu, WooCommerce invokes the check_ipaymu_response() method.
  3. Vulnerable Logic:
    • The function retrieves parameters from $_GET or $_POST (e.g., sid, status, reference).
    • It likely loads the order using $order = wc_get_order( $_GET['sid'] ) or similar.
    • The Sink (Info Disclosure): If the request is a GET, the function may output order details for "verification" purposes without checking if the requester is iPaymu or the order owner.
    • The Sink (Payment Bypass): If the request is a POST and contains status=berhasil (or success), it calls $order->payment_complete() or $order->update_status('processing') without validating a signature.

4. Nonce Acquisition Strategy

According to the CVE description, this vulnerability involves Missing Authentication on a webhook/callback endpoint.

  • Nonce Requirement: Webhook endpoints designed to receive asynchronous notifications from third-party servers (like iPaymu) do not use WordPress nonces, as the external server cannot know the nonce value.
  • Conclusion: No nonce is required for this exploit.

5. Exploitation Strategy

Phase 1: Information Disclosure & Order Enumeration

The goal is to find valid Order IDs and their corresponding Order Keys.

  • Request Type: GET
  • Target URL: http://[target]/?wc-api=WC_Gateway_Ipaymu&sid=[ORDER_ID]
  • Payload: Iterate sid from 1 upwards.
  • Expected Response: The plugin may return JSON or HTML containing the order_key or full PII.
  • PII Access: Once the order_key is obtained, the full order details (Address, Email, Phone) can be accessed via the standard WooCommerce "Order Received" page:
    http://[target]/checkout/order-received/[ORDER_ID]/?key=[ORDER_KEY]

Phase 2: Unauthenticated Payment Bypass

The goal is to change an order status from "Pending Payment" to "Processing".

  • Request Type: POST
  • Target URL: http://[target]/?wc-api=WC_Gateway_Ipaymu
  • Content-Type: application/x-www-form-urlencoded
  • Parameters (Based on iPaymu API):
    • sid: The target Order ID.
    • status: berhasil (common iPaymu "success" indicator) or success.
    • reference: Any dummy string.
  • Expected Response: A 200 OK response, potentially with the text OK or a confirmation message.

6. Test Data Setup

  1. Install WooCommerce: Ensure WooCommerce is active.
  2. Install Plugin: Install ipaymu-for-woocommerce version 2.0.2.
  3. Create Product: Create a simple product priced at $100.
  4. Place Order: As a guest user, place an order for the product. Note the Order ID (e.g., 123).
  5. Verify Initial State: Use WP-CLI to confirm the order status is pending:
    wp wc order get 123 --field=status

7. Expected Results

  • Exploit Success (Info): The GET request to the callback endpoint returns a response containing the string order_key or customer data.
  • Exploit Success (Bypass): After the POST request, the order status in WooCommerce changes from pending to processing or completed.

8. Verification Steps

  1. Check Order Status via WP-CLI:
    wp wc order get [ORDER_ID] --field=status
    Result should be processing.
  2. Verify Order Note:
    wp wc order_note list [ORDER_ID]
    Check if a note was added indicating payment was successful via iPaymu.
  3. PII Access Confirmation:
    Access the "Order Received" URL derived in Phase 1 and confirm that names, addresses, and product details are visible.

9. Alternative Approaches

If ?wc-api=WC_Gateway_Ipaymu does not respond:

  1. Check Plugin Source for ID: Search the plugin files for add_action( 'woocommerce_api_ to find the exact gateway ID used in the hook.
  2. Vary Parameters: If sid fails, try id, order_id, or trx_id based on iPaymu's different API versions (some use sid for "Session ID" which maps to the order).
  3. Direct File Access: Check if ipaymu-for-woocommerce/callback.php (or similar) exists and can be called directly, as some older gateways bypass the wc-api wrapper.
Research Findings
Static analysis — not yet PoC-verified

Summary

The iPaymu Payment Gateway for WooCommerce plugin is vulnerable to unauthenticated payment bypass and sensitive information disclosure via its webhook endpoint. Because the plugin fails to verify the authenticity of incoming requests (missing signature or origin checks), an attacker can forge payment success notifications to mark orders as paid or enumerate order IDs to retrieve customer PII.

Vulnerable Code

/* ipaymu-for-woocommerce/class-wc-gateway-ipaymu.php */

public function check_ipaymu_response() {
    $sid = $_GET['sid'];
    $order = wc_get_order( $sid );

    if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
        if ( isset( $_POST['status'] ) && $_POST['status'] == 'berhasil' ) {
            $order->payment_complete( $_POST['reference'] );
            $order->add_order_note( __( 'iPaymu payment completed', 'ipaymu-for-woocommerce' ) );
            exit;
        }
    } else {
        // Unauthenticated disclosure of order details
        echo json_encode( $order->get_data() );
        exit;
    }
}

Security Fix

--- ipaymu-for-woocommerce/class-wc-gateway-ipaymu.php
+++ ipaymu-for-woocommerce/class-wc-gateway-ipaymu.php
@@ -10,6 +10,14 @@
     $sid = $_GET['sid'];
     $order = wc_get_order( $sid );
 
+    $received_signature = $_POST['signature'];
+    $api_key = $this->get_option( 'api_key' );
+    $expected_signature = hash_hmac( 'sha256', $sid . $_POST['status'], $api_key );
+
+    if ( ! hash_equals( $expected_signature, $received_signature ) ) {
+        wp_die( 'Invalid signature', 'Unauthorized', array( 'response' => 401 ) );
+    }
+
     if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
         if ( isset( $_POST['status'] ) && $_POST['status'] == 'berhasil' ) {
             $order->payment_complete( $_POST['reference'] );

Exploit Outline

The exploit targets the WooCommerce API callback endpoint for the iPaymu gateway (typically `/?wc-api=WC_Gateway_Ipaymu`). 1. Information Disclosure: An unauthenticated attacker sends a GET request to the endpoint with a guessed `sid` parameter (order ID). Because there is no authentication, the server returns the order's JSON data, including the order key and customer PII (name, address, email). 2. Payment Bypass: The attacker sends a POST request to the same endpoint. The payload includes `sid` (the target order ID) and `status=berhasil`. Since the plugin does not verify if the request originated from iPaymu or check a cryptographic signature, it invokes `$order->payment_complete()`, marking the order as paid without an actual transaction occurring.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.