CVE-2026-7862 Overview
CVE-2026-7862 affects the Eupago Gateway for WooCommerce WordPress plugin in versions prior to 4.7.2. The plugin fails to restrict access to its refund request handler, exposing the endpoint to unauthenticated requests. Attackers can invoke the handler to initiate refunds against arbitrary WooCommerce orders using the merchant's stored payment gateway credentials. For payment methods that support payee redirection, attackers can route the refunded funds to an attacker-controlled bank account. This represents a broken access control flaw with direct financial impact for merchants running the affected plugin.
Critical Impact
Unauthenticated attackers can drain merchant funds by issuing refunds against any WooCommerce order and, for supported payment methods, redirect those refunds to attacker-controlled bank accounts.
Affected Products
- Eupago Gateway for WooCommerce WordPress plugin versions before 4.7.2
- WooCommerce stores integrating the Eupago payment gateway
- WordPress sites with the vulnerable plugin installed and active
Discovery Timeline
- 2026-05-28 - CVE-2026-7862 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-7862
Vulnerability Analysis
The vulnerability resides in the plugin's refund request handler. The handler is registered as a publicly reachable endpoint but does not perform authentication, capability, or nonce checks before processing refund requests. An unauthenticated attacker can send a crafted HTTP request that triggers the handler against any WooCommerce order identifier. The plugin then forwards the refund instruction to the Eupago payment gateway using the merchant's stored API credentials.
For payment methods that accept a destination bank account in the refund payload, the handler accepts attacker-supplied account details and forwards them to the gateway. The gateway processes the refund against the merchant's balance and disburses funds to the supplied account. This converts a broken access control issue into a direct funds-theft primitive.
Root Cause
The root cause is missing authorization on a sensitive state-changing endpoint, classifiable as Broken Access Control. The refund handler trusts the request origin without verifying that the caller is an authenticated administrator or shop manager. It also omits WordPress nonce validation that would otherwise constrain cross-site invocation.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker enumerates target sites running the plugin, identifies valid WooCommerce order identifiers through public order references or brute force, and submits crafted refund requests to the exposed handler. For payment methods that allow specifying a refund destination, the attacker includes an attacker-controlled account in the request. Refer to the WPScan Vulnerability Report for additional context on the exposed handler.
Detection Methods for CVE-2026-7862
Indicators of Compromise
- Unexpected refund transactions in WooCommerce order history that were not initiated by store staff.
- Refund records in the Eupago merchant dashboard targeting unfamiliar bank accounts or IBANs.
- HTTP POST requests to the plugin's refund handler endpoint from unauthenticated sources or unusual IP addresses.
- WooCommerce order status changes to refunded without corresponding entries in administrator audit logs.
Detection Strategies
- Review web server access logs for requests targeting the Eupago refund handler path, filtering for requests lacking valid session cookies or admin referrers.
- Correlate WooCommerce refund events against authenticated administrator sessions to identify refunds with no matching admin activity.
- Reconcile Eupago payment gateway statements against expected refund volume to surface anomalous outflows.
Monitoring Recommendations
- Enable WordPress audit logging for all refund and order state transitions and ship logs to a centralized SIEM.
- Alert on any refund request originating from outside the WordPress admin context or without a valid wp_nonce parameter.
- Monitor for spikes in refund volume per hour and per order, with thresholds tuned to baseline merchant activity.
How to Mitigate CVE-2026-7862
Immediate Actions Required
- Update the Eupago Gateway for WooCommerce plugin to version 4.7.2 or later on all WordPress installations.
- Audit recent refund history in both WooCommerce and the Eupago merchant dashboard for unauthorized transactions.
- Rotate Eupago API credentials stored in the plugin configuration if unauthorized refunds are detected.
- Contact Eupago support to dispute and reverse any fraudulent refunds identified during the audit.
Patch Information
Upgrade to Eupago Gateway for WooCommerce version 4.7.2 or later. The fixed release adds authorization and request validation to the refund handler. See the WPScan Vulnerability Report for the fixed version reference.
Workarounds
- Deactivate the Eupago Gateway for WooCommerce plugin until the patched version can be deployed.
- Block external access to the refund handler URL at the web application firewall or reverse proxy layer.
- Restrict access to WordPress AJAX and admin-post endpoints by IP allowlist where feasible.
# Example WAF rule (ModSecurity) to block unauthenticated refund handler access
SecRule REQUEST_URI "@contains eupago" \
"id:1026786,phase:1,deny,status:403,\
chain,msg:'Block unauthenticated Eupago refund handler access'"
SecRule REQUEST_URI "@rx refund" \
"chain"
SecRule &REQUEST_COOKIES:wordpress_logged_in "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
