Payment Gateway for Redsys and WooCommerce Lite Improper Signature Verification Vulnerability
Vulnerability
A vulnerability exists in the Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress, in versions through 7.0.0. The issue arises from the successful_request() handlers, which calculate a local signature but fail to validate the Ds_Signature from incoming requests before updating payment status. This flaw is present in the Redsys, Bizum, and Google Pay gateway flows. As a result, unauthenticated attackers can forge payment callback data, marking pending orders as paid if they possess a valid order key and amount. This exploitation could lead to unauthorized completion of checkout processes and fulfillment of products or services without actual payment.
Impact
Exploitation of this vulnerability allows for unauthorized manipulation of payment statuses, potentially leading to fraudulent order completions and service fulfillments without actual payment being made.
Remediation
Users are advised to update the Payment Gateway for Redsys & WooCommerce Lite plugin to version 7.0.1 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.