CVE-2026-5050 Overview
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress contains an Improper Verification of Cryptographic Signature vulnerability (CWE-347) in versions up to and including 7.0.0. The vulnerability exists because the successful_request() handlers calculate a local signature but fail to validate the Ds_Signature parameter from incoming requests before accepting payment status updates across the Redsys, Bizum, and Google Pay gateway flows. This critical flaw allows unauthenticated attackers to forge payment callback data and mark pending orders as paid, potentially enabling checkout completion and product or service fulfillment without actual payment processing.
Critical Impact
Attackers can bypass payment verification entirely, marking unpaid orders as complete when they know a valid order key and order amount. This can lead to significant financial losses for e-commerce merchants using the affected plugin.
Affected Products
- Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress versions up to and including 7.0.0
- WordPress sites using Redsys payment gateway integration
- WordPress sites using Bizum and Google Pay gateway flows through this plugin
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-5050 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-5050
Vulnerability Analysis
This vulnerability stems from a fundamental cryptographic verification failure in the payment callback handling mechanism. The plugin's successful_request() handlers are designed to process payment status callbacks from Redsys, Bizum, and Google Pay gateways. While the handlers correctly calculate a local cryptographic signature based on expected transaction parameters, they critically fail to compare this calculated signature against the Ds_Signature value provided in the incoming request.
In legitimate payment flows, the payment gateway signs callback data using a shared secret, and the merchant plugin must verify this signature to ensure the callback originated from the genuine payment processor. Without this verification step, an attacker who knows a valid order key and order amount can craft malicious callback requests that the plugin will accept as legitimate payment confirmations.
Root Cause
The root cause is the absence of signature comparison logic in the successful_request() handlers. The code calculates what the signature should be but never validates whether the incoming Ds_Signature matches. This is classified as CWE-347 (Improper Verification of Cryptographic Signature), a weakness where software receives input containing a cryptographic signature but does not verify or incorrectly verifies that the signature is valid.
The vulnerability affects multiple payment gateway flows (Redsys, Bizum, and Google Pay), suggesting the flawed validation pattern was replicated across different payment handler implementations within the plugin.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker needs to:
- Identify a target WordPress site running a vulnerable version of the Payment Gateway for Redsys & WooCommerce Lite plugin
- Obtain or guess a valid order key and corresponding order amount (order keys may be predictable or leaked through various means)
- Craft a forged payment callback request with fabricated Ds_Signature and payment success parameters
- Submit the malicious callback to the plugin's payment notification endpoint
Since the plugin does not verify the signature, it accepts the forged callback and marks the order as paid, triggering order fulfillment processes. The attack requires knowledge of valid order details but does not require any authentication or special privileges.
The vulnerability mechanism can be understood as follows: when a payment callback arrives, the plugin extracts transaction data and calculates what the signature should be based on the shared merchant secret. However, instead of comparing this calculated signature to the Ds_Signature provided in the request, the plugin proceeds to process the payment status update regardless of whether the signatures match. For detailed technical analysis, refer to the WordPress Plugin Changeset and Wordfence Vulnerability Overview.
Detection Methods for CVE-2026-5050
Indicators of Compromise
- Unexpected order status changes from "pending" to "paid" or "completed" without corresponding legitimate payment processor logs
- Payment callback requests in web server access logs with invalid or missing Ds_Signature values
- Orders marked as paid that lack corresponding transaction records in Redsys, Bizum, or Google Pay merchant dashboards
- Unusual patterns of rapid order completions from similar IP addresses or with sequential order keys
Detection Strategies
- Implement web application firewall (WAF) rules to log and analyze all traffic to WooCommerce payment callback endpoints
- Cross-reference completed orders in WooCommerce with actual transaction records in your payment processor's merchant portal
- Deploy file integrity monitoring to detect modifications to payment gateway plugin files
- Enable detailed WordPress and WooCommerce logging to capture payment callback processing events
Monitoring Recommendations
- Monitor server access logs for suspicious POST requests to payment notification URLs with unusual parameter patterns
- Set up alerts for orders that transition to "paid" status without corresponding payment gateway webhook confirmation in processor logs
- Implement anomaly detection for order completion rates that deviate significantly from historical baselines
- Review plugin update notifications and apply security patches promptly when available
How to Mitigate CVE-2026-5050
Immediate Actions Required
- Update the Payment Gateway for Redsys & WooCommerce Lite plugin to a version newer than 7.0.0 immediately
- Audit recent order history to identify any orders that may have been fraudulently marked as paid
- Review payment processor transaction logs and reconcile with WooCommerce order records
- Consider temporarily disabling the affected payment gateways until the patch is applied
Patch Information
A security fix has been released for this vulnerability. The patch adds proper signature verification to ensure the Ds_Signature received in payment callbacks is validated against the locally calculated signature before processing payment status updates. The fix addresses all affected gateway flows including Redsys, Bizum, and Google Pay. Review the WordPress Plugin Changeset for technical details on the remediation.
Workarounds
- If immediate patching is not possible, temporarily disable the Redsys, Bizum, and Google Pay payment methods in WooCommerce settings
- Implement additional server-side validation to manually verify payment status with your payment processor before fulfilling orders
- Use IP allowlisting to restrict payment callback endpoints to only accept requests from legitimate Redsys/Bizum/Google Pay server IP ranges
- Enable manual order review for all orders above a certain value threshold until the plugin is updated
# Example: Restrict payment callback endpoint access by IP (Apache .htaccess)
# Replace with actual Redsys gateway IP ranges from your payment processor documentation
<Files "wc-api/WC_Gateway_Redsys">
Order Deny,Allow
Deny from all
Allow from 195.76.9.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
