CVE-2026-9028 Overview
CVE-2026-9028 is an authorization bypass vulnerability in the CorvusPay WooCommerce Payment Gateway plugin for WordPress. The plugin fails to verify that a user is authorized to perform an order cancellation. Unauthenticated attackers can send arbitrary order numbers to the /wp-json/corvuspay/cancel/ REST endpoint and cancel any WooCommerce order placed via the CorvusPay payment method. All plugin versions up to and including 2.7.4 are affected. The weakness is classified as Missing Authorization [CWE-862].
Critical Impact
Unauthenticated attackers can cancel arbitrary WooCommerce orders processed through CorvusPay, disrupting merchant revenue and order fulfillment workflows.
Affected Products
- CorvusPay WooCommerce Payment Gateway plugin for WordPress
- All versions up to and including 2.7.4
- WordPress sites using CorvusPay as a WooCommerce payment method
Discovery Timeline
- 2026-07-09 - CVE-2026-9028 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-9028
Vulnerability Analysis
The CorvusPay plugin registers a REST route at /wp-json/corvuspay/cancel/ that processes order cancellation requests. The route handler accepts an order number supplied by the caller but does not validate whether the caller owns the order, holds an administrative role, or presents a valid cancellation token. Any unauthenticated HTTP client can therefore submit a request referencing an order identifier and cause that order to transition into a cancelled state.
The result is a business logic disruption. Attackers who enumerate or guess sequential WooCommerce order IDs can cancel orders in bulk, block legitimate payments from completing, and interfere with fulfillment. The impact is integrity-focused: order state is modified without authorization, while confidentiality and availability of the WordPress site itself remain intact.
Root Cause
The root cause is missing authorization enforcement on the cancellation REST endpoint. The permission_callback used when registering the route does not tie the request to the order owner or verify a signed nonce bound to the transaction. The relevant handler logic can be reviewed in the plugin sources at class-wc-gateway-corvuspay.php line 792 and class-wc-order-corvuspay.php line 172.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP request to the vulnerable REST endpoint on the target WordPress site, supplying an order number as a parameter. If the order exists and was paid through CorvusPay, the plugin marks it as cancelled. Order numbers are typically sequential integers, which makes enumeration trivial.
Because no verified proof-of-concept code has been published, technical details are referenced from the Wordfence Vulnerability Report and the CorvusPay plugin changeset.
Detection Methods for CVE-2026-9028
Indicators of Compromise
- HTTP requests to /wp-json/corvuspay/cancel/ from unauthenticated sources or unusual IP ranges.
- WooCommerce orders transitioning to a cancelled state without a corresponding user session, admin action, or gateway callback.
- Sequential probing of order identifiers against the CorvusPay REST route within short time windows.
Detection Strategies
- Review web server access logs for POST or GET requests targeting the /wp-json/corvuspay/cancel/ path and correlate against WooCommerce order status changes.
- Enable WooCommerce order note auditing to record the source of each cancellation and flag events with missing user context.
- Alert on high volumes of cancellation events across distinct order IDs originating from a small set of client IPs.
Monitoring Recommendations
- Ship WordPress and web server logs to a centralized SIEM and build a rule for unauthenticated hits against wp-json/corvuspay/*.
- Track daily counts of cancelled CorvusPay orders and alert on statistical anomalies.
- Monitor WAF logs for enumeration patterns against WooCommerce REST endpoints.
How to Mitigate CVE-2026-9028
Immediate Actions Required
- Update the CorvusPay WooCommerce Payment Gateway plugin to the version that ships the fix referenced in the plugin changeset.
- Audit recent WooCommerce order history for unexplained cancellations of CorvusPay orders and restore legitimate orders where required.
- Restrict access to /wp-json/corvuspay/cancel/ at the WAF or reverse proxy layer until the update is applied.
Patch Information
The vendor addressed the missing authorization in a version released after 2.7.4. Refer to the Wordfence advisory and the WordPress.org plugin repository for the fixed release. The patch adds proper authorization checks so that only the order owner or an authorized process can cancel a CorvusPay order.
Workarounds
- Block or rate-limit external requests to /wp-json/corvuspay/cancel/ at the WAF, reverse proxy, or via a mu-plugin that returns 401 for unauthenticated callers.
- Temporarily disable the CorvusPay plugin if it is not actively in use and switch to an alternative payment gateway until patched.
- Require an authenticated administrator session for all WooCommerce REST cancellation actions via server-side access rules.
# Example nginx rule to block unauthenticated access to the vulnerable endpoint
location ~ ^/wp-json/corvuspay/cancel/ {
allow 10.0.0.0/8; # internal admin network
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

