Volerion logoVolerion
Volerion logoVolerion

Japanized for WooCommerce Improper Authentication Vulnerability in WordPress Plugin

Vulnerability

A vulnerability allowing improper authentication has been identified in the Japanized for WooCommerce WordPress plugin, affecting versions through 2.8.4. The issue arises from a permission check flaw in the 'paidy_webhook_permission_check' function, which incorrectly allows requests without a webhook signature header. This oversight enables unauthenticated attackers to bypass payment verification and falsely mark orders as 'Processing' or 'Completed' without actual payment, by sending a crafted POST request to the Paidy webhook endpoint.

Impact

Exploitation of this vulnerability allows unauthenticated users to manipulate order statuses, potentially leading to unauthorized order processing and completion.

Reproduction

To reproduce this vulnerability, send a POST request to the '/wp-json/paidy/v1/order' endpoint without including the 'x-paidy-signature' header. The request will be accepted, and the order will be marked as 'Processing' or 'Completed', depending on the crafted data included in the request.

Remediation

Users are advised to update the Japanized for WooCommerce plugin for WordPress to version 2.8.5 or later.

Added: Feb 27, 2026, 10:19 AM
Updated: Feb 27, 2026, 2:17 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
2.5
exploitability
8.6
remediation
7.7
relevance
3.3
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.