Skip to main content
CVE Vulnerability Database

CVE-2026-9027: CorvusPay WooCommerce Auth Bypass Flaw

CVE-2026-9027 is an authentication bypass vulnerability in CorvusPay WooCommerce Payment Gateway plugin that allows attackers to mark orders as paid without payment. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-9027 Overview

CVE-2026-9027 is a payment bypass vulnerability in the CorvusPay WooCommerce Payment Gateway plugin for WordPress affecting all versions up to and including 2.7.4. The flaw resides in the corvuspay_success_handler function, which exposes the REST endpoint POST /wp-json/corvuspay/success/ with 'permission_callback' => '__return_true'. While the handler invokes $this->client->validate->signature(), it never evaluates the boolean result before calling $order->payment_complete(). The issue is categorized under [CWE-347: Improper Verification of Cryptographic Signature].

Critical Impact

Unauthenticated attackers can mark any pending WooCommerce order as fully paid by submitting a forged signature to the success endpoint, enumerating sequential order_number values to obtain goods or services without payment.

Affected Products

  • CorvusPay WooCommerce Payment Gateway plugin for WordPress, versions up to and including 2.7.4
  • WordPress sites running WooCommerce with the CorvusPay integration enabled
  • Merchant storefronts exposing the /wp-json/corvuspay/success/ REST route

Discovery Timeline

  • 2026-07-09 - CVE CVE-2026-9027 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-9027

Vulnerability Analysis

The CorvusPay plugin registers an unauthenticated REST route to receive payment confirmations from the CorvusPay processor. The handler retrieves the order using the client-supplied order_number POST parameter and computes a signature validation result via $this->client->validate->signature(). The returned boolean is stored in the local variable $res and written to a debug log, but no conditional statement inspects the value. Execution then unconditionally proceeds to $order->payment_complete(), transitioning the order to a paid state.

Because the endpoint is registered with permission_callback => __return_true, no authentication, capability, or nonce check gates the request. WooCommerce order IDs are sequential integers, so attackers can enumerate valid order numbers without prior knowledge of any specific transaction.

Root Cause

The root cause is a missing conditional check around the signature verification result. The developer wired the validation routine but forgot to branch on its return value, converting cryptographic verification into a purely informational operation. This is a classic instance of [CWE-347] where a signature is computed but its verdict is discarded.

Attack Vector

Exploitation is network-based and requires no authentication or user interaction. An attacker sends a crafted POST request to /wp-json/corvuspay/success/ containing an order_number field targeting a pending order and any arbitrary value in the signature field. The server processes the request, logs the failed signature, and then still calls payment_complete(), releasing digital goods, activating subscriptions, or triggering fulfillment workflows tied to paid orders.

No verified exploitation code is publicly available. Technical details are documented in the Wordfence Vulnerability Report and the WordPress Plugin Source Code.

Detection Methods for CVE-2026-9027

Indicators of Compromise

  • Unexpected POST requests to /wp-json/corvuspay/success/ from client IP addresses not associated with the CorvusPay processor
  • WooCommerce orders transitioning from pending to processing or completed without a matching transaction record in the CorvusPay merchant portal
  • Sequential order_number values appearing in access logs within a short time window, indicating enumeration
  • Debug log entries showing signature validation failures immediately followed by payment_complete() execution

Detection Strategies

  • Correlate WooCommerce order status changes against CorvusPay settlement reports to identify orders marked paid without a corresponding processor transaction.
  • Inspect web server access logs for repeated POST requests to the CorvusPay success endpoint from a single source or non-CorvusPay IP ranges.
  • Review PHP or WordPress debug logs for signature validation failures preceding successful order completion events.
  • Alert on WooCommerce email notifications for completed orders that reference customer accounts or guest sessions with no prior checkout activity.

Monitoring Recommendations

  • Enable request logging for all /wp-json/corvuspay/* routes and forward the logs to a centralized SIEM for correlation.
  • Monitor the rate of new completed orders per hour and alert on statistical anomalies against historical baselines.
  • Track HTTP requests from unexpected geographies or Tor exit nodes reaching payment callback endpoints.

How to Mitigate CVE-2026-9027

Immediate Actions Required

  • Upgrade the CorvusPay WooCommerce Payment Gateway plugin to a version later than 2.7.4 as soon as the vendor publishes a fix.
  • Audit all WooCommerce orders completed since the plugin was installed and reconcile them against CorvusPay processor settlement records.
  • Temporarily disable the CorvusPay plugin if reconciliation confirms unauthorized order completions and no patched version is yet available.
  • Rotate any API credentials or shared secrets used by the CorvusPay integration after applying the patch.

Patch Information

At the time of publication, the vulnerability affects all versions up to and including 2.7.4. Review the WordPress Changeset Log and the Wordfence Vulnerability Report for the latest patched release information.

Workarounds

  • Restrict access to /wp-json/corvuspay/success/ at the web server or WAF layer, allowing only the published CorvusPay processor IP ranges.
  • Deploy a WAF rule that blocks POST requests to the endpoint originating from client browsers rather than server-to-server callbacks.
  • Configure WooCommerce to require manual review of orders exceeding a defined value threshold before fulfillment is triggered.
  • Disable the CorvusPay plugin and switch to an alternative payment gateway until a fixed version is available.
bash
# Example nginx allowlist restricting the CorvusPay success callback to processor IPs
location = /wp-json/corvuspay/success/ {
    allow 203.0.113.0/24;   # Replace with CorvusPay processor IP range
    deny  all;
    try_files $uri $uri/ /index.php?$args;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.