mediumCVE-2026-9027

CorvusPay WooCommerce Payment Gateway Payment Bypass Vulnerability

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The `corvuspay_success_handler` function registers the REST endpoint `POST /wp-json/corvuspay/success/` with `'permission_callback' => '__return_true'`, and while it calls `$this->client->validate->signature()` and stores the boolean result in `$res`, the result is never evaluated in a conditional — it is only written to the debug log — causing execution to unconditionally reach `$order->payment_complete()` regardless of whether the cryptographic signature is valid. This makes it possible for unauthenticated attackers to mark any pending WooCommerce order as fully paid by sending a POST request to the success endpoint containing an arbitrary or forged signature value, allowing them to obtain goods or services without payment. Because WooCommerce order IDs are sequential integers, target orders are trivially enumerable via the `order_number` POST parameter, requiring no prior knowledge of the victim order.

ProductCorvusPay WooCommerce Payment Gateway
CVSS5.3
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

CorvusPay WooCommerce Payment Gateway should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • CorvusPay WooCommerce Payment Gateway up to and including 2.7.4

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CorvusPay WooCommerce Payment Gateway up to and including 2.7.4 is affected by CVE-2026-9027. The payment success workflow must not be trusted until the plugin is patched or disabled, because the payment success handler can mark orders paid without enforcing the cryptographic signature result. Prioritize any store accepting live WooCommerce payments through CorvusPay.

  1. Inventory all WordPress stores using CorvusPay WooCommerce Payment Gateway and record the installed plugin version.
  2. Update CorvusPay WooCommerce Payment Gateway to a vendor-fixed version newer than 2.7.4 as soon as it is available.
  3. Temporarily disable the CorvusPay payment method or place the store in maintenance mode if no fixed version is available.
  4. Review WooCommerce orders paid through CorvusPay for suspicious order_number activity, forged callbacks, and unusual paid status transitions.
  5. Restrict access to the vulnerable REST success endpoint with a web application firewall rule until the plugin is fixed.
  6. Rotate payment gateway secrets if callback data or debug logs indicate attempted forgery.
  7. Clear WordPress, WooCommerce, object, and CDN caches after updating the plugin.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm CorvusPay WooCommerce Payment Gateway is no longer at version 2.7.4 or older.
  • Send a safe test callback with an invalid signature in staging and confirm it cannot mark an order as paid.
  • Confirm legitimate CorvusPay payment callbacks still complete orders after the fix.
  • Review recent orders for unauthorized paid status changes.
  • Run a Fixnx scan and verify the affected store pages and exposed endpoints are reviewed after remediation.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-9027?

CorvusPay WooCommerce Payment Gateway versions listed as affected should be reviewed: CorvusPay WooCommerce Payment Gateway up to and including 2.7.4.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.