CVE-2026-9027 Overview
CVE-2026-9027 is a payment bypass vulnerability in the CorvusPay WooCommerce Payment Gateway plugin for WordPress affecting all versions up to and including 2.7.4. The flaw resides in the corvuspay_success_handler function, which exposes the REST endpoint POST /wp-json/corvuspay/success/ with 'permission_callback' => '__return_true'. While the handler invokes $this->client->validate->signature(), it never evaluates the boolean result before calling $order->payment_complete(). The issue is categorized under [CWE-347: Improper Verification of Cryptographic Signature].
Critical Impact
Unauthenticated attackers can mark any pending WooCommerce order as fully paid by submitting a forged signature to the success endpoint, enumerating sequential order_number values to obtain goods or services without payment.
Affected Products
- CorvusPay WooCommerce Payment Gateway plugin for WordPress, versions up to and including 2.7.4
- WordPress sites running WooCommerce with the CorvusPay integration enabled
- Merchant storefronts exposing the /wp-json/corvuspay/success/ REST route
Discovery Timeline
- 2026-07-09 - CVE CVE-2026-9027 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-9027
Vulnerability Analysis
The CorvusPay plugin registers an unauthenticated REST route to receive payment confirmations from the CorvusPay processor. The handler retrieves the order using the client-supplied order_number POST parameter and computes a signature validation result via $this->client->validate->signature(). The returned boolean is stored in the local variable $res and written to a debug log, but no conditional statement inspects the value. Execution then unconditionally proceeds to $order->payment_complete(), transitioning the order to a paid state.
Because the endpoint is registered with permission_callback => __return_true, no authentication, capability, or nonce check gates the request. WooCommerce order IDs are sequential integers, so attackers can enumerate valid order numbers without prior knowledge of any specific transaction.
Root Cause
The root cause is a missing conditional check around the signature verification result. The developer wired the validation routine but forgot to branch on its return value, converting cryptographic verification into a purely informational operation. This is a classic instance of [CWE-347] where a signature is computed but its verdict is discarded.
Attack Vector
Exploitation is network-based and requires no authentication or user interaction. An attacker sends a crafted POST request to /wp-json/corvuspay/success/ containing an order_number field targeting a pending order and any arbitrary value in the signature field. The server processes the request, logs the failed signature, and then still calls payment_complete(), releasing digital goods, activating subscriptions, or triggering fulfillment workflows tied to paid orders.
No verified exploitation code is publicly available. Technical details are documented in the Wordfence Vulnerability Report and the WordPress Plugin Source Code.
Detection Methods for CVE-2026-9027
Indicators of Compromise
- Unexpected POST requests to /wp-json/corvuspay/success/ from client IP addresses not associated with the CorvusPay processor
- WooCommerce orders transitioning from pending to processing or completed without a matching transaction record in the CorvusPay merchant portal
- Sequential order_number values appearing in access logs within a short time window, indicating enumeration
- Debug log entries showing signature validation failures immediately followed by payment_complete() execution
Detection Strategies
- Correlate WooCommerce order status changes against CorvusPay settlement reports to identify orders marked paid without a corresponding processor transaction.
- Inspect web server access logs for repeated POST requests to the CorvusPay success endpoint from a single source or non-CorvusPay IP ranges.
- Review PHP or WordPress debug logs for signature validation failures preceding successful order completion events.
- Alert on WooCommerce email notifications for completed orders that reference customer accounts or guest sessions with no prior checkout activity.
Monitoring Recommendations
- Enable request logging for all /wp-json/corvuspay/* routes and forward the logs to a centralized SIEM for correlation.
- Monitor the rate of new completed orders per hour and alert on statistical anomalies against historical baselines.
- Track HTTP requests from unexpected geographies or Tor exit nodes reaching payment callback endpoints.
How to Mitigate CVE-2026-9027
Immediate Actions Required
- Upgrade the CorvusPay WooCommerce Payment Gateway plugin to a version later than 2.7.4 as soon as the vendor publishes a fix.
- Audit all WooCommerce orders completed since the plugin was installed and reconcile them against CorvusPay processor settlement records.
- Temporarily disable the CorvusPay plugin if reconciliation confirms unauthorized order completions and no patched version is yet available.
- Rotate any API credentials or shared secrets used by the CorvusPay integration after applying the patch.
Patch Information
At the time of publication, the vulnerability affects all versions up to and including 2.7.4. Review the WordPress Changeset Log and the Wordfence Vulnerability Report for the latest patched release information.
Workarounds
- Restrict access to /wp-json/corvuspay/success/ at the web server or WAF layer, allowing only the published CorvusPay processor IP ranges.
- Deploy a WAF rule that blocks POST requests to the endpoint originating from client browsers rather than server-to-server callbacks.
- Configure WooCommerce to require manual review of orders exceeding a defined value threshold before fulfillment is triggered.
- Disable the CorvusPay plugin and switch to an alternative payment gateway until a fixed version is available.
# Example nginx allowlist restricting the CorvusPay success callback to processor IPs
location = /wp-json/corvuspay/success/ {
allow 203.0.113.0/24; # Replace with CorvusPay processor IP range
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

