CVE-2026-9027: The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and inclu
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The corvuspay_success_handler function registers the REST endpoint POST /wp-json/corvuspay/success/ with 'permission_callback' => '__return_true', and while it calls $this->client->validate->signature() and stores the boolean result in $res, the result is never evaluated in a conditional — it is only written to the debug log — causing execution to unconditionally reach $order->payment_complete() regardless of whether the cryptographic signature is valid. This makes it possible for unauthenticated attackers to mark any pending WooCommerce order as fully paid by sending a POST request to the success endpoint containing an arbitrary or forged signature value, allowing them to obtain goods or services without payment. Because WooCommerce order IDs are sequential integers, target orders are trivially enumerable via the order_number POST parameter, requiring no prior knowledge of the victim order.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-9027
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-90270.22% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 13% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-9027 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for CorvusPay WooCommerce Payment
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-6939: The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Si…nvd · 2026-07-11
- mediumCVE-2026-9028: The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization b…nvd · 2026-07-09
- highCVE-2026-56029: Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versio…nvd · 2026-06-26
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11