iPaymu Payment Gateway for WooCommerce Missing Authentication Vulnerability Allowing Unauthenticated Payment Bypass and Order Information Disclosure

A vulnerability exists in the iPaymu Payment Gateway for WooCommerce plugin for WordPress, affecting all versions through 2.0.2. The issue arises from missing authentication in the 'check_ipaymu_response' function, where the plugin fails to validate the authenticity of webhook requests. This lack of validation allows unauthenticated attackers to manipulate WooCommerce order statuses by sending crafted POST requests to the webhook endpoint, without any actual payment being made. Additionally, attackers can use GET requests to enumerate order IDs and obtain valid order keys, thereby exposing personal identifiable information (PII) of customers, including names, addresses, and details of purchased products.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of order statuses, marking them as paid without any actual transaction. It also enables the disclosure of sensitive customer information, including names, addresses, and purchased items.

Reproduction

To reproduce this vulnerability, send a POST request to the iPaymu webhook endpoint without a signature or origin verification. This can be done using a tool like cURL or Postman. The request should include the 'id_order' and 'order_status' parameters to simulate a payment notification. After the request is processed, the corresponding WooCommerce order will be marked as paid, and the order details can be accessed, including customer PII.

Remediation

Users are advised to update the iPaymu Payment Gateway for WooCommerce plugin to version 2.0.3 or later.