PAYGENT for WooCommerce Missing Authorization Vulnerability in Payment Callback Handling
Vulnerability
A missing authorization vulnerability has been identified in the PAYGENT for WooCommerce plugin for WordPress, affecting all versions through 2.4.6. The issue arises from inadequate authorization checks in the 'paygent_check_webhook' function, coupled with the 'paygent_permission_callback' function always returning true. This flaw allows unauthenticated attackers to interfere with payment callbacks and alter order statuses by sending fake payment notifications via the '/wp-json/paygent/v1/check/' endpoint.
Impact
Exploitation of this vulnerability allows for unauthorized manipulation of payment callbacks and order statuses within WooCommerce.
Remediation
Users can update to version 2.4.7 or a newer patched version to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.