CVE-2026-40741

Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
7.0.1
Patched in
6d
Time to patch

Description

The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.0.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=7.0.0
PublishedApril 16, 2026
Last updatedApril 21, 2026

What Changed in the Fix

Changes introduced in v7.0.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-40741 ## 1. Vulnerability Summary The **Payment Gateway for Redsys & WooCommerce Lite** plugin (<= 7.0.0) is vulnerable to **Missing Authorization**. The vulnerability exists in the `check_ipn_response` methods of the various Redsys gateway classes (`WC_Gatew…

Show full research plan

Exploitation Research Plan - CVE-2026-40741

1. Vulnerability Summary

The Payment Gateway for Redsys & WooCommerce Lite plugin (<= 7.0.0) is vulnerable to Missing Authorization. The vulnerability exists in the check_ipn_response methods of the various Redsys gateway classes (WC_Gateway_Redsys, WC_Gateway_Bizum_Redsys, and WC_Gateway_GooglePay_Redirection_Redsys).

The plugin's logic for processing return redirects from Redsys (added in version 6.3.0 and refined in 6.4.0) allows marking WooCommerce orders as "Paid" based solely on GET parameters (Ds_Response and Ds_Order) without verifying the Redsys cryptographic signature or requiring any form of authentication. An unauthenticated attacker can spoof a successful payment notification by visiting a specific URL with a target Order ID.

2. Attack Vector Analysis

  • Endpoints:
    • Redsys: /?wc-api=WC_Gateway_redsys
    • Bizum: /?wc-api=WC_Gateway_bizumredsys
    • Google Pay: /?wc-api=WC_Gateway_googlepayredirecredsys
  • HTTP Method: GET
  • Authentication: None (Unauthenticated)
  • Vulnerable Parameters:
    • Ds_Response: Set to 0000
Research Findings
Static analysis — not yet PoC-verified

Summary

The Payment Gateway for Redsys & WooCommerce Lite plugin is vulnerable to unauthorized order status changes because it fails to verify the cryptographic signature of incoming Redsys payment notifications. This allows unauthenticated attackers to spoof successful transaction responses and mark WooCommerce orders as paid without providing a valid signature or completing a real payment.

Vulnerable Code

// classes/class-wc-gateway-redsys.php (around line 950 in v7.0.0)
		$mi_obj            = new RedsysLiteAPI();
		$dscardnumbercompl = '';
		$dsexpiration      = '';
		$dsmerchantidenti  = '';
		$dsexpiryyear      = '';
		$dsexpirymonth     = '';
		$decodedata        = $mi_obj->decode_merchant_parameters( $data );
		$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );
		$total             = $mi_obj->get_parameter( 'Ds_Amount' );
		$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );
		$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );

--- 

// classes/class-wc-gateway-bizum-redsys.php (around line 1138 in v7.0.0)
		$mi_obj            = new RedsysLiteAPI();
		$dscardnumbercompl = '';
		$dsexpiration      = '';
		$dsmerchantidenti  = '';
		$dsexpiryyear      = '';
		$dsexpirymonth     = '';
		$decodedata        = $mi_obj->decode_merchant_parameters( $data );
		$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );
		$total             = $mi_obj->get_parameter( 'Ds_Amount' );
		$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.0/classes/class-wc-gateway-bizum-redsys.php /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.1/classes/class-wc-gateway-bizum-redsys.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.0/classes/class-wc-gateway-bizum-redsys.php	2026-02-15 15:39:24.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.1/classes/class-wc-gateway-bizum-redsys.php	2026-04-08 21:21:30.000000000 +0000
@@ -1139,6 +1139,15 @@
 		$dsexpirymonth     = '';
 		$decodedata        = $mi_obj->decode_merchant_parameters( $data );
 		$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );
+
+		// Verify cryptographic signature to prevent payment forgery.
+		 if ( $localsecret !== $remote_sign ) {
+			if ( 'yes' === $this->debug ) {
+				$this->log->add( 'bizumredsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign );
+			}
+			return;
+		}
+
 		$total             = $mi_obj->get_parameter( 'Ds_Amount' );
 		$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );
 		$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.0/classes/class-wc-gateway-googlepay-redirection-redsys.php /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.1/classes/class-wc-gateway-googlepay-redirection-redsys.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.0/classes/class-wc-gateway-googlepay-redirection-redsys.php	2026-02-15 15:39:24.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.1/classes/class-wc-gateway-googlepay-redirection-redsys.php	2026-04-08 21:21:30.000000000 +0000
@@ -974,6 +974,15 @@
 		$dsexpirymonth     = '';
 		$decodedata        = $mi_obj->decode_merchant_parameters( $data );
 		$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );
+
+		// Verify cryptographic signature to prevent payment forgery.
+		if ( $localsecret !== $remote_sign ) {
+			if ( 'yes' === $this->debug ) {
+				$this->log->add( 'googlepayredirecredsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign );
+			}
+			return;
+		}
+
 		$total             = $mi_obj->get_parameter( 'Ds_Amount' );
 		$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );
 		$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.0/classes/class-wc-gateway-redsys.php /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.1/classes/class-wc-gateway-redsys.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.0/classes/class-wc-gateway-redsys.php	2026-02-15 15:39:24.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woo-redsys-gateway-light/7.0.1/classes/class-wc-gateway-redsys.php	2026-04-08 21:21:30.000000000 +0000
@@ -952,6 +940,15 @@
 		$dsexpirymonth     = '';
 		$decodedata        = $mi_obj->decode_merchant_parameters( $data );
 		$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );
+
+		// Verify cryptographic signature to prevent payment forgery.
+		if ( $localsecret !== $remote_sign ) {
+			if ( 'yes' === $this->debug ) {
+				$this->log->add( 'redsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign );
+			}
+			return;
+		}
+
 		$total             = $mi_obj->get_parameter( 'Ds_Amount' );
 		$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );
 		$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker needs to identify a valid WooCommerce order ID. The attacker can then send a GET request to one of the Redsys API endpoints provided by the plugin (e.g., `/?wc-api=WC_Gateway_redsys`). The request must include the `Ds_MerchantParameters` parameter, which contains a Base64-encoded JSON string representing a successful payment notification from Redsys. Specifically, this JSON must include the target `Ds_Order` (the order ID) and a successful `Ds_Response` (e.g., '0000'). Because the vulnerable versions of the plugin do not validate the `Ds_Signature` against the shared merchant secret, the plugin will process the notification as authentic and mark the specified order as 'Processing' or 'Completed' (Paid) in WooCommerce.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.