Skip to main content
CVE Vulnerability Database

CVE-2026-9028: CorvusPay WooCommerce Auth Bypass Flaw

CVE-2026-9028 is an authorization bypass flaw in the CorvusPay WooCommerce Payment Gateway plugin that lets unauthenticated attackers cancel any order. This post covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-9028 Overview

CVE-2026-9028 is an authorization bypass vulnerability in the CorvusPay WooCommerce Payment Gateway plugin for WordPress. The plugin fails to verify that a user is authorized to perform an order cancellation. Unauthenticated attackers can send arbitrary order numbers to the /wp-json/corvuspay/cancel/ REST endpoint and cancel any WooCommerce order placed via the CorvusPay payment method. All plugin versions up to and including 2.7.4 are affected. The weakness is classified as Missing Authorization [CWE-862].

Critical Impact

Unauthenticated attackers can cancel arbitrary WooCommerce orders processed through CorvusPay, disrupting merchant revenue and order fulfillment workflows.

Affected Products

  • CorvusPay WooCommerce Payment Gateway plugin for WordPress
  • All versions up to and including 2.7.4
  • WordPress sites using CorvusPay as a WooCommerce payment method

Discovery Timeline

  • 2026-07-09 - CVE-2026-9028 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-9028

Vulnerability Analysis

The CorvusPay plugin registers a REST route at /wp-json/corvuspay/cancel/ that processes order cancellation requests. The route handler accepts an order number supplied by the caller but does not validate whether the caller owns the order, holds an administrative role, or presents a valid cancellation token. Any unauthenticated HTTP client can therefore submit a request referencing an order identifier and cause that order to transition into a cancelled state.

The result is a business logic disruption. Attackers who enumerate or guess sequential WooCommerce order IDs can cancel orders in bulk, block legitimate payments from completing, and interfere with fulfillment. The impact is integrity-focused: order state is modified without authorization, while confidentiality and availability of the WordPress site itself remain intact.

Root Cause

The root cause is missing authorization enforcement on the cancellation REST endpoint. The permission_callback used when registering the route does not tie the request to the order owner or verify a signed nonce bound to the transaction. The relevant handler logic can be reviewed in the plugin sources at class-wc-gateway-corvuspay.php line 792 and class-wc-order-corvuspay.php line 172.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP request to the vulnerable REST endpoint on the target WordPress site, supplying an order number as a parameter. If the order exists and was paid through CorvusPay, the plugin marks it as cancelled. Order numbers are typically sequential integers, which makes enumeration trivial.

Because no verified proof-of-concept code has been published, technical details are referenced from the Wordfence Vulnerability Report and the CorvusPay plugin changeset.

Detection Methods for CVE-2026-9028

Indicators of Compromise

  • HTTP requests to /wp-json/corvuspay/cancel/ from unauthenticated sources or unusual IP ranges.
  • WooCommerce orders transitioning to a cancelled state without a corresponding user session, admin action, or gateway callback.
  • Sequential probing of order identifiers against the CorvusPay REST route within short time windows.

Detection Strategies

  • Review web server access logs for POST or GET requests targeting the /wp-json/corvuspay/cancel/ path and correlate against WooCommerce order status changes.
  • Enable WooCommerce order note auditing to record the source of each cancellation and flag events with missing user context.
  • Alert on high volumes of cancellation events across distinct order IDs originating from a small set of client IPs.

Monitoring Recommendations

  • Ship WordPress and web server logs to a centralized SIEM and build a rule for unauthenticated hits against wp-json/corvuspay/*.
  • Track daily counts of cancelled CorvusPay orders and alert on statistical anomalies.
  • Monitor WAF logs for enumeration patterns against WooCommerce REST endpoints.

How to Mitigate CVE-2026-9028

Immediate Actions Required

  • Update the CorvusPay WooCommerce Payment Gateway plugin to the version that ships the fix referenced in the plugin changeset.
  • Audit recent WooCommerce order history for unexplained cancellations of CorvusPay orders and restore legitimate orders where required.
  • Restrict access to /wp-json/corvuspay/cancel/ at the WAF or reverse proxy layer until the update is applied.

Patch Information

The vendor addressed the missing authorization in a version released after 2.7.4. Refer to the Wordfence advisory and the WordPress.org plugin repository for the fixed release. The patch adds proper authorization checks so that only the order owner or an authorized process can cancel a CorvusPay order.

Workarounds

  • Block or rate-limit external requests to /wp-json/corvuspay/cancel/ at the WAF, reverse proxy, or via a mu-plugin that returns 401 for unauthenticated callers.
  • Temporarily disable the CorvusPay plugin if it is not actively in use and switch to an alternative payment gateway until patched.
  • Require an authenticated administrator session for all WooCommerce REST cancellation actions via server-side access rules.
bash
# Example nginx rule to block unauthenticated access to the vulnerable endpoint
location ~ ^/wp-json/corvuspay/cancel/ {
    allow 10.0.0.0/8;      # internal admin network
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.