Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Missing Authorization
Description
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.0.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=7.0.0What Changed in the Fix
Changes introduced in v7.0.1
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-40741 ## 1. Vulnerability Summary The **Payment Gateway for Redsys & WooCommerce Lite** plugin (<= 7.0.0) is vulnerable to **Missing Authorization**. The vulnerability exists in the `check_ipn_response` methods of the various Redsys gateway classes (`WC_Gatew…
Show full research plan
Exploitation Research Plan - CVE-2026-40741
1. Vulnerability Summary
The Payment Gateway for Redsys & WooCommerce Lite plugin (<= 7.0.0) is vulnerable to Missing Authorization. The vulnerability exists in the check_ipn_response methods of the various Redsys gateway classes (WC_Gateway_Redsys, WC_Gateway_Bizum_Redsys, and WC_Gateway_GooglePay_Redirection_Redsys).
The plugin's logic for processing return redirects from Redsys (added in version 6.3.0 and refined in 6.4.0) allows marking WooCommerce orders as "Paid" based solely on GET parameters (Ds_Response and Ds_Order) without verifying the Redsys cryptographic signature or requiring any form of authentication. An unauthenticated attacker can spoof a successful payment notification by visiting a specific URL with a target Order ID.
2. Attack Vector Analysis
- Endpoints:
- Redsys:
/?wc-api=WC_Gateway_redsys - Bizum:
/?wc-api=WC_Gateway_bizumredsys - Google Pay:
/?wc-api=WC_Gateway_googlepayredirecredsys
- Redsys:
- HTTP Method:
GET - Authentication: None (Unauthenticated)
- Vulnerable Parameters:
Ds_Response: Set to0000
Summary
The Payment Gateway for Redsys & WooCommerce Lite plugin is vulnerable to unauthorized order status changes because it fails to verify the cryptographic signature of incoming Redsys payment notifications. This allows unauthenticated attackers to spoof successful transaction responses and mark WooCommerce orders as paid without providing a valid signature or completing a real payment.
Vulnerable Code
// classes/class-wc-gateway-redsys.php (around line 950 in v7.0.0) $mi_obj = new RedsysLiteAPI(); $dscardnumbercompl = ''; $dsexpiration = ''; $dsmerchantidenti = ''; $dsexpiryyear = ''; $dsexpirymonth = ''; $decodedata = $mi_obj->decode_merchant_parameters( $data ); $localsecret = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data ); $total = $mi_obj->get_parameter( 'Ds_Amount' ); $ordermi = $mi_obj->get_parameter( 'Ds_Order' ); $dscode = $mi_obj->get_parameter( 'Ds_MerchantCode' ); --- // classes/class-wc-gateway-bizum-redsys.php (around line 1138 in v7.0.0) $mi_obj = new RedsysLiteAPI(); $dscardnumbercompl = ''; $dsexpiration = ''; $dsmerchantidenti = ''; $dsexpiryyear = ''; $dsexpirymonth = ''; $decodedata = $mi_obj->decode_merchant_parameters( $data ); $localsecret = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data ); $total = $mi_obj->get_parameter( 'Ds_Amount' ); $ordermi = $mi_obj->get_parameter( 'Ds_Order' );
Security Fix
@@ -1139,6 +1139,15 @@ $dsexpirymonth = ''; $decodedata = $mi_obj->decode_merchant_parameters( $data ); $localsecret = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data ); + + // Verify cryptographic signature to prevent payment forgery. + if ( $localsecret !== $remote_sign ) { + if ( 'yes' === $this->debug ) { + $this->log->add( 'bizumredsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign ); + } + return; + } + $total = $mi_obj->get_parameter( 'Ds_Amount' ); $ordermi = $mi_obj->get_parameter( 'Ds_Order' ); $dscode = $mi_obj->get_parameter( 'Ds_MerchantCode' ); @@ -974,6 +974,15 @@ $dsexpirymonth = ''; $decodedata = $mi_obj->decode_merchant_parameters( $data ); $localsecret = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data ); + + // Verify cryptographic signature to prevent payment forgery. + if ( $localsecret !== $remote_sign ) { + if ( 'yes' === $this->debug ) { + $this->log->add( 'googlepayredirecredsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign ); + } + return; + } + $total = $mi_obj->get_parameter( 'Ds_Amount' ); $ordermi = $mi_obj->get_parameter( 'Ds_Order' ); $dscode = $mi_obj->get_parameter( 'Ds_MerchantCode' ); @@ -952,6 +940,15 @@ $dsexpirymonth = ''; $decodedata = $mi_obj->decode_merchant_parameters( $data ); $localsecret = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data ); + + // Verify cryptographic signature to prevent payment forgery. + if ( $localsecret !== $remote_sign ) { + if ( 'yes' === $this->debug ) { + $this->log->add( 'redsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign ); + } + return; + } + $total = $mi_obj->get_parameter( 'Ds_Amount' ); $ordermi = $mi_obj->get_parameter( 'Ds_Order' ); $dscode = $mi_obj->get_parameter( 'Ds_MerchantCode' );
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker needs to identify a valid WooCommerce order ID. The attacker can then send a GET request to one of the Redsys API endpoints provided by the plugin (e.g., `/?wc-api=WC_Gateway_redsys`). The request must include the `Ds_MerchantParameters` parameter, which contains a Base64-encoded JSON string representing a successful payment notification from Redsys. Specifically, this JSON must include the target `Ds_Order` (the order ID) and a successful `Ds_Response` (e.g., '0000'). Because the vulnerable versions of the plugin do not validate the `Ds_Signature` against the shared merchant secret, the plugin will process the notification as authentic and mark the specified order as 'Processing' or 'Completed' (Paid) in WooCommerce.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.