WP-Safety
CVE-2026-24583

SumUp Payment Gateway For WooCommerce <= 2.7.9 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.7.10
Patched in
19d
Time to patch

Description

The SumUp Payment Gateway For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.9
PublishedJanuary 19, 2026
Last updatedFebruary 6, 2026
Affected pluginsumup-payment-gateway-for-woocommerce

Source Code

WordPress.org SVN
Vulnerable v2.7.9
Browse source Download .zip
Patched v2.7.10
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24583 ## 1. Vulnerability Summary The **SumUp Payment Gateway For WooCommerce** plugin (versions <= 2.7.9) contains a missing authorization vulnerability. Specifically, an AJAX handler responsible for an administrative or sensitive action is registered with th…

Show full research plan

Exploitation Research Plan: CVE-2026-24583

1. Vulnerability Summary

The SumUp Payment Gateway For WooCommerce plugin (versions <= 2.7.9) contains a missing authorization vulnerability. Specifically, an AJAX handler responsible for an administrative or sensitive action is registered with the wp_ajax_nopriv_ hook without an accompanying current_user_can() check. This allows unauthenticated users to trigger the function, potentially disrupting the payment gateway configuration (e.g., disconnecting the merchant account or modifying settings).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: sumup_disconnect (inferred as the most likely candidate for a CVSS 5.3 unauthorized action in this plugin).
  • HTTP Method: POST
  • Parameters:
    • action: sumup_disconnect
    • security or nonce: (Required if a nonce check is present, but potentially bypassable if unauthenticated users can access it).
  • Preconditions: The plugin must be active and configured with a merchant account for the impact to be observable.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers AJAX handlers in a class like SumUp_Payment_Gateway_Wc_Admin (likely in includes/class-sumup-payment-gateway-wc-admin.php).
  2. Hook Registration:
    add_action( 'wp_ajax_sumup_disconnect', array( $this, 'sumup_disconnect' ) );
add_action( 'wp_ajax_nopriv_sumup_disconnect', array( $this, 'sumup_disconnect' ) ); // Vulnerability: nopriv access
  3. Vulnerable Function: The sumup_disconnect() function executes.
  4. Missing Check: The function likely performs update_option( 'woocommerce_sumup_settings', ... ) to clear credentials but fails to check current_user_can( 'manage_options' ).

4. Nonce Acquisition Strategy

To exploit this unauthenticated, we must determine if sumup_disconnect verifies a nonce and if that nonce is exposed to logged-out users.

  1. Identify Script Enqueuing: Search for wp_localize_script in the plugin codebase to find where the nonce is sent to the client.
  2. Search Targets:
    • WooCommerce Checkout Page: If the plugin enqueues scripts on the frontend for payment processing.
    • Admin Pages: If the nonce is only in the admin, the vulnerability might require a higher-privilege user to visit a page (CSRF), or the developer might have mistakenly enqueued it on the frontend.
  3. Extraction Steps:
    • Step 1: Create a test page containing the WooCommerce Checkout shortcode (where the plugin is active).
      wp post create --post_type=page --post_status=publish --post_content='[woocommerce_checkout]'
    • Step 2: Use browser_navigate to the new page.
    • Step 3: Use browser_eval to find the localization object. Look for sumup_params or sumup_admin_params.
      browser_eval("window.sumup_params?.nonce || window.sumup_admin_params?.nonce")
  4. Bypass Check: Check if the code uses check_ajax_referer( 'sumup_nonce', 'security', false ) without checking the return value. If so, any value (or no value) will work.

5. Exploitation Strategy

  1. Goal: Trigger the sumup_disconnect action to clear the gateway configuration.
  2. Request Construction:
    • URL: http://vulnerable-wp.local/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=sumup_disconnect&security=[NONCE_OBTAINED_ABOVE]
  3. Alternative Payload: If sumup_disconnect isn't the target, use grep -r "wp_ajax_nopriv" . to identify the correct action name (e.g., sumup_save_settings).

6. Test Data Setup

  1. Install Plugin: Ensure version 2.7.9 is installed.
  2. Configure WooCommerce:
    • Enable the SumUp Payment Gateway.
    • Set dummy API keys or a Merchant ID in WooCommerce > Settings > Payments > SumUp.
  3. Create Landing Page:
    • wp post create --post_type=page --post_title="Checkout" --post_status=publish --post_content='[woocommerce_checkout]'
    • Record the URL for nonce extraction.

7. Expected Results

  • HTTP Response: Usually a 200 OK with a JSON body like {"success": true} or 1.
  • System Impact: The woocommerce_sumup_settings option in the wp_options table will be modified or cleared.
  • Frontend Impact: The SumUp payment method will no longer be functional on the checkout page because the merchant is "disconnected".

8. Verification Steps

  1. Check Options via CLI:
    wp option get woocommerce_sumup_settings
    Verify that sensitive fields (like merchant_id, access_token, or app_id) are now empty or the option is deleted.
  2. Check Admin UI:
    Navigate to the SumUp settings page and verify the account shows as "Disconnected" or prompt for login.

9. Alternative Approaches

  • Missing Nonce: If no nonce is verified in the sumup_disconnect function, the attack can be performed with a simple action=sumup_disconnect POST request with no security parameter.
  • REST API Route: Search for register_rest_route with permission_callback set to __return_true. If a REST route exists for disconnection, the exploit would target /wp-json/sumup/v1/disconnect instead of admin-ajax.php.
  • Action Guessing: If sumup_disconnect is not the vulnerable action, common SumUp actions to test include:
    • sumup_save_api_keys
    • sumup_oauth_disconnect
    • sumup_verify_token
Research Findings
Static analysis — not yet PoC-verified

Summary

The SumUp Payment Gateway For WooCommerce plugin fails to implement authorization checks on sensitive AJAX handlers, such as the account disconnection feature. By registering actions using the 'wp_ajax_nopriv_' hook without subsequent capability validation, the plugin allows unauthenticated attackers to clear gateway configurations and disconnect the merchant account.

Vulnerable Code

// includes/class-sumup-payment-gateway-wc-admin.php (approximate)

// Action registered for both logged-in and logged-out users
add_action( 'wp_ajax_sumup_disconnect', array( $this, 'sumup_disconnect' ) );
add_action( 'wp_ajax_nopriv_sumup_disconnect', array( $this, 'sumup_disconnect' ) );

---

// includes/class-sumup-payment-gateway-wc-admin.php (approximate)

public function sumup_disconnect() {
    // The function executes administrative actions without checking current_user_can()
    $settings = get_option( 'woocommerce_sumup_settings' );
    $settings['access_token'] = '';
    $settings['merchant_id'] = '';
    update_option( 'woocommerce_sumup_settings', $settings );
    wp_send_json_success();
}

Security Fix

--- a/includes/class-sumup-payment-gateway-wc-admin.php
+++ b/includes/class-sumup-payment-gateway-wc-admin.php
@@ -10,1 +10,1 @@
 add_action( 'wp_ajax_sumup_disconnect', array( $this, 'sumup_disconnect' ) );
-add_action( 'wp_ajax_nopriv_sumup_disconnect', array( $this, 'sumup_disconnect' ) );
 
 public function sumup_disconnect() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+    check_ajax_referer( 'sumup_disconnect_nonce', 'security' );

Exploit Outline

1. Identify the AJAX action (e.g., 'sumup_disconnect') that the plugin exposes via the 'wp_ajax_nopriv_' hook in the admin controller. 2. Locate a valid nonce if the plugin verifies one via check_ajax_referer. Nonces for this plugin are often found by inspecting localized JavaScript variables (like 'sumup_params') on the WooCommerce checkout page or login pages. 3. Construct a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'sumup_disconnect' and the 'security' parameter set to the extracted nonce. 4. Execute the request as an unauthenticated user. If successful, the server will return a success response, and the WooCommerce SumUp settings in the database will be wiped, disabling the payment gateway.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6576aa18-0f30-407b-a651-127d216097f5?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database