[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcnMoBKPEEFfvuh1WprUCHWBlc-0MAaagsnraUo2Z2M0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-40741","payment-gateway-for-redsys-woocommerce-lite-missing-authorization","Payment Gateway for Redsys & WooCommerce Lite \u003C= 7.0.0 - Missing Authorization","The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.0.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","woo-redsys-gateway-light",null,"\u003C=7.0.0","7.0.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-16 00:00:00","2026-04-21 14:58:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F30587c31-1c69-479f-8aa4-05c171abaab8?source=api-prod",6,[22,23,24,25,26],"classes\u002Fclass-wc-gateway-bizum-redsys.php","classes\u002Fclass-wc-gateway-googlepay-redirection-redsys.php","classes\u002Fclass-wc-gateway-redsys.php","readme.txt","woocommerce-redsys.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-40741\n\n## 1. Vulnerability Summary\nThe **Payment Gateway for Redsys & WooCommerce Lite** plugin (\u003C= 7.0.0) is vulnerable to **Missing Authorization**. The vulnerability exists in the `check_ipn_response` methods of the various Redsys gateway classes (`WC_Gateway_Redsys`, `WC_Gateway_Bizum_Redsys`, and `WC_Gateway_GooglePay_Redirection_Redsys`). \n\nThe plugin's logic for processing return redirects from Redsys (added in version 6.3.0 and refined in 6.4.0) allows marking WooCommerce orders as \"Paid\" based solely on GET parameters (`Ds_Response` and `Ds_Order`) without verifying the Redsys cryptographic signature or requiring any form of authentication. An unauthenticated attacker can spoof a successful payment notification by visiting a specific URL with a target Order ID.\n\n## 2. Attack Vector Analysis\n- **Endpoints**: \n    - Redsys: `\u002F?wc-api=WC_Gateway_redsys`\n    - Bizum: `\u002F?wc-api=WC_Gateway_bizumredsys`\n    - Google Pay: `\u002F?wc-api=WC_Gateway_googlepayredirecredsys`\n- **HTTP Method**: `GET`\n- **Authentication**: None (Unauthenticated)\n- **Vulnerable Parameters**:\n    - `Ds_Response`: Set to `0000`","The Payment Gateway for Redsys & WooCommerce Lite plugin is vulnerable to unauthorized order status changes because it fails to verify the cryptographic signature of incoming Redsys payment notifications. This allows unauthenticated attackers to spoof successful transaction responses and mark WooCommerce orders as paid without providing a valid signature or completing a real payment.","\u002F\u002F classes\u002Fclass-wc-gateway-redsys.php (around line 950 in v7.0.0)\n\t\t$mi_obj            = new RedsysLiteAPI();\n\t\t$dscardnumbercompl = '';\n\t\t$dsexpiration      = '';\n\t\t$dsmerchantidenti  = '';\n\t\t$dsexpiryyear      = '';\n\t\t$dsexpirymonth     = '';\n\t\t$decodedata        = $mi_obj->decode_merchant_parameters( $data );\n\t\t$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );\n\t\t$total             = $mi_obj->get_parameter( 'Ds_Amount' );\n\t\t$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );\n\t\t$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );\n\n--- \n\n\u002F\u002F classes\u002Fclass-wc-gateway-bizum-redsys.php (around line 1138 in v7.0.0)\n\t\t$mi_obj            = new RedsysLiteAPI();\n\t\t$dscardnumbercompl = '';\n\t\t$dsexpiration      = '';\n\t\t$dsmerchantidenti  = '';\n\t\t$dsexpiryyear      = '';\n\t\t$dsexpirymonth     = '';\n\t\t$decodedata        = $mi_obj->decode_merchant_parameters( $data );\n\t\t$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );\n\t\t$total             = $mi_obj->get_parameter( 'Ds_Amount' );\n\t\t$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.0\u002Fclasses\u002Fclass-wc-gateway-bizum-redsys.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.1\u002Fclasses\u002Fclass-wc-gateway-bizum-redsys.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.0\u002Fclasses\u002Fclass-wc-gateway-bizum-redsys.php\t2026-02-15 15:39:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.1\u002Fclasses\u002Fclass-wc-gateway-bizum-redsys.php\t2026-04-08 21:21:30.000000000 +0000\n@@ -1139,6 +1139,15 @@\n \t\t$dsexpirymonth     = '';\n \t\t$decodedata        = $mi_obj->decode_merchant_parameters( $data );\n \t\t$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );\n+\n+\t\t\u002F\u002F Verify cryptographic signature to prevent payment forgery.\n+\t\t if ( $localsecret !== $remote_sign ) {\n+\t\t\tif ( 'yes' === $this->debug ) {\n+\t\t\t\t$this->log->add( 'bizumredsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign );\n+\t\t\t}\n+\t\t\treturn;\n+\t\t}\n+\n \t\t$total             = $mi_obj->get_parameter( 'Ds_Amount' );\n \t\t$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );\n \t\t$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.0\u002Fclasses\u002Fclass-wc-gateway-googlepay-redirection-redsys.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.1\u002Fclasses\u002Fclass-wc-gateway-googlepay-redirection-redsys.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.0\u002Fclasses\u002Fclass-wc-gateway-googlepay-redirection-redsys.php\t2026-02-15 15:39:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.1\u002Fclasses\u002Fclass-wc-gateway-googlepay-redirection-redsys.php\t2026-04-08 21:21:30.000000000 +0000\n@@ -974,6 +974,15 @@\n \t\t$dsexpirymonth     = '';\n \t\t$decodedata        = $mi_obj->decode_merchant_parameters( $data );\n \t\t$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );\n+\n+\t\t\u002F\u002F Verify cryptographic signature to prevent payment forgery.\n+\t\tif ( $localsecret !== $remote_sign ) {\n+\t\t\tif ( 'yes' === $this->debug ) {\n+\t\t\t\t$this->log->add( 'googlepayredirecredsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign );\n+\t\t\t}\n+\t\t\treturn;\n+\t\t}\n+\n \t\t$total             = $mi_obj->get_parameter( 'Ds_Amount' );\n \t\t$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );\n \t\t$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.0\u002Fclasses\u002Fclass-wc-gateway-redsys.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.1\u002Fclasses\u002Fclass-wc-gateway-redsys.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.0\u002Fclasses\u002Fclass-wc-gateway-redsys.php\t2026-02-15 15:39:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-redsys-gateway-light\u002F7.0.1\u002Fclasses\u002Fclass-wc-gateway-redsys.php\t2026-04-08 21:21:30.000000000 +0000\n@@ -952,6 +940,15 @@\n \t\t$dsexpirymonth     = '';\n \t\t$decodedata        = $mi_obj->decode_merchant_parameters( $data );\n \t\t$localsecret       = $mi_obj->create_merchant_signature_notif( $usesecretsha256, $data );\n+\n+\t\t\u002F\u002F Verify cryptographic signature to prevent payment forgery.\n+\t\tif ( $localsecret !== $remote_sign ) {\n+\t\t\tif ( 'yes' === $this->debug ) {\n+\t\t\t\t$this->log->add( 'redsys', 'Signature verification failed in successful_request. Local: ' . $localsecret . ' Remote: ' . $remote_sign );\n+\t\t\t}\n+\t\t\treturn;\n+\t\t}\n+\n \t\t$total             = $mi_obj->get_parameter( 'Ds_Amount' );\n \t\t$ordermi           = $mi_obj->get_parameter( 'Ds_Order' );\n \t\t$dscode            = $mi_obj->get_parameter( 'Ds_MerchantCode' );","To exploit this vulnerability, an unauthenticated attacker needs to identify a valid WooCommerce order ID. The attacker can then send a GET request to one of the Redsys API endpoints provided by the plugin (e.g., `\u002F?wc-api=WC_Gateway_redsys`). The request must include the `Ds_MerchantParameters` parameter, which contains a Base64-encoded JSON string representing a successful payment notification from Redsys. Specifically, this JSON must include the target `Ds_Order` (the order ID) and a successful `Ds_Response` (e.g., '0000'). Because the vulnerable versions of the plugin do not validate the `Ds_Signature` against the shared merchant secret, the plugin will process the notification as authentic and mark the specified order as 'Processing' or 'Completed' (Paid) in WooCommerce.","gemini-3-flash-preview","2026-04-27 14:34:36","2026-04-27 14:35:27",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","7.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-redsys-gateway-light\u002Ftags\u002F7.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-redsys-gateway-light.7.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-redsys-gateway-light\u002Ftags\u002F7.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-redsys-gateway-light.7.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-redsys-gateway-light\u002Ftags"]