Primary

Context

Eupago Gateway for WooCommerce WordPress Plugin Access Control Vulnerability Allowing Unauthenticated Refunds

Vulnerability

Patched

A vulnerability in the Eupago Gateway for WooCommerce WordPress plugin, affecting versions prior to 4.7.2, allows unauthenticated attackers to initiate refunds on any WooCommerce order. The plugin fails to properly restrict access to its refund request handler, enabling attackers to use the merchant's payment gateway credentials to process refunds. For certain payment methods, this vulnerability also allows redirected funds to an attacker-controlled bank account.

Impact

Exploitation of this vulnerability could lead to unauthorized refunds being processed, with refunded amounts redirected to an attacker-controlled bank account.

Remediation

Users are advised to update the Eupago Gateway for WooCommerce WordPress plugin to version 4.7.2 or later.

Added: May 28, 2026, 8:35 AM

Updated: May 28, 2026, 8:35 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

8.9

remediation

7.7

relevance

9.7

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

8.9

remediation

7.7

relevance

9.7

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eupago Gateway for WooCommerce WordPress Plugin Access Control Vulnerability Allowing Unauthenticated Refunds

Vulnerability

Impact

Remediation

Affected Products

Eupago Gateway

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating