CVE-2026-1305 Overview
The Japanized for WooCommerce plugin for WordPress contains an Improper Authentication vulnerability (CWE-287) in versions up to and including 2.8.4. The vulnerability exists in the paidy_webhook_permission_check function, which unconditionally returns true when the webhook signature header is omitted from incoming requests. This flawed permission check allows unauthenticated attackers to bypass payment verification and fraudulently mark WooCommerce orders as "Processing" or "Completed" without actual payment by sending crafted POST requests to the Paidy webhook endpoint.
Critical Impact
Attackers can exploit this authentication bypass to fraudulently complete orders without payment, potentially causing significant financial losses for e-commerce stores using the Paidy payment gateway.
Affected Products
- Japanized for WooCommerce plugin versions ≤ 2.8.4
- WordPress sites using Paidy payment gateway integration
- WooCommerce stores with the woocommerce-for-japan plugin installed
Discovery Timeline
- 2026-02-27 - CVE-2026-1305 published to NVD
- 2026-02-27 - Last updated in NVD database
Technical Details for CVE-2026-1305
Vulnerability Analysis
This authentication bypass vulnerability stems from improper validation logic in the Paidy payment webhook handler. When a webhook request arrives at the endpoint, the plugin's permission check function (paidy_webhook_permission_check) is designed to validate the authenticity of incoming requests by verifying a cryptographic signature header. However, when an attacker omits the signature header entirely from their request, the function fails to properly handle this edge case and unconditionally returns true, granting full access to the webhook functionality.
The vulnerability allows unauthenticated remote attackers to interact with the payment processing system as if they were the legitimate Paidy payment service. By crafting malicious POST requests to the webhook endpoint without the required signature header, attackers can manipulate order statuses and mark unpaid orders as completed.
Root Cause
The root cause of this vulnerability is a logical flaw in the paidy_webhook_permission_check function located in class-wc-paidy-endpoint.php. The function's conditional logic fails to enforce signature validation when the signature header is absent. Instead of returning false (denying access) when the signature is missing, the function's control flow results in returning true, effectively disabling the authentication mechanism entirely.
This represents a classic "fail-open" security anti-pattern where the absence of authentication credentials is treated as valid authentication rather than being rejected. Proper implementation should follow "fail-closed" principles, denying access by default when required authentication parameters are not present.
Attack Vector
The attack can be executed remotely over the network without any authentication or user interaction. An attacker needs only to:
- Identify a WordPress site running the vulnerable Japanized for WooCommerce plugin
- Locate the Paidy webhook endpoint URL
- Craft a POST request with the appropriate payload structure to modify order status
- Omit the webhook signature header from the request
- Send the request to fraudulently mark orders as paid
The vulnerability is exploited by sending specially crafted POST requests to the Paidy webhook endpoint without including the expected signature header. The flawed permission check in class-wc-paidy-endpoint.php fails to properly validate the absence of the signature, allowing the malicious request to bypass authentication. Once past this check, attackers can manipulate order data to mark orders as "Processing" or "Completed" without legitimate payment authorization. For technical details, see the Wordfence Vulnerability Overview and related WordPress code references.
Detection Methods for CVE-2026-1305
Indicators of Compromise
- Unexpected orders marked as "Processing" or "Completed" without corresponding payment records in Paidy dashboard
- HTTP POST requests to the Paidy webhook endpoint lacking the signature header
- Orders with payment status discrepancies between WooCommerce and the Paidy payment gateway
- Unusual spikes in completed orders from unfamiliar sources or IP addresses
Detection Strategies
- Monitor web server access logs for POST requests to /wp-json/ or WooCommerce webhook endpoints missing expected authentication headers
- Implement Web Application Firewall (WAF) rules to flag or block webhook requests without signature headers
- Enable detailed logging for WooCommerce payment gateway activity to track order status changes
- Cross-reference WooCommerce order completions with actual Paidy payment confirmations
Monitoring Recommendations
- Configure alerts for order status changes that lack corresponding payment gateway transaction IDs
- Implement real-time monitoring of webhook endpoint traffic patterns and authentication failures
- Establish baseline metrics for normal webhook activity to detect anomalous request volumes
- Review WooCommerce order audit logs regularly for unauthorized status modifications
How to Mitigate CVE-2026-1305
Immediate Actions Required
- Update the Japanized for WooCommerce plugin to version 2.8.5 or later immediately
- Audit recent orders for potential fraudulent status changes that bypassed payment verification
- Temporarily disable the Paidy payment gateway if immediate patching is not possible
- Review web server logs for evidence of exploitation attempts against the webhook endpoint
Patch Information
The vulnerability has been addressed in the plugin update. The fix ensures that the paidy_webhook_permission_check function properly validates the presence and authenticity of the webhook signature header, returning false when the header is missing or invalid. The patch can be reviewed in WordPress Changeset 3464868. Site administrators should update through the WordPress plugin update mechanism or manually download the patched version from the WordPress plugin repository.
Workarounds
- Implement additional server-level authentication for webhook endpoints using .htaccess or nginx configuration rules
- Configure WAF rules to require and validate signature headers on all requests to the Paidy webhook endpoint
- Temporarily disable the Paidy payment gateway and use alternative payment methods until the patch is applied
- Add IP allowlisting to restrict webhook endpoint access to known Paidy service IP addresses
# Example nginx configuration to add IP restriction for webhook endpoint
# Add to server block configuration
location ~* /wp-json/.*paidy {
# Only allow requests from Paidy's known IP ranges
# Replace with actual Paidy service IPs
allow 203.0.113.0/24;
deny all;
# Pass to PHP handler
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
