CorvusPay WooCommerce Payment Gateway Order Cancellation Authorization Bypass Vulnerability
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to cancel any WooCommerce order placed via the CorvusPay payment method by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST endpoint.
Quick answer
CorvusPay WooCommerce Payment Gateway should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- CorvusPay WooCommerce Payment Gateway up to and including 2.7.4
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CorvusPay WooCommerce Payment Gateway is affected by CVE-2026-9028. The vulnerable versions allow an attacker to abuse a missing authorization, capability, or nonce check: unauthenticated requests can cancel WooCommerce orders through the CorvusPay cancel endpoint. Update or disable the plugin first on public WordPress and WooCommerce sites.
- Inventory every WordPress site where CorvusPay WooCommerce Payment Gateway is installed and enabled.
- Update CorvusPay WooCommerce Payment Gateway beyond the affected version 2.7.4 when a vendor-fixed release is available.
- Disable the plugin temporarily if the affected workflow is exposed and no fixed release is available.
- Remove unnecessary subscriber accounts and review recently created low-privilege users.
- Restrict the vulnerable AJAX or REST actions with WAF rules until the plugin is patched.
- Review WordPress, WooCommerce, and plugin logs for suspicious requests targeting the affected action or order/job/quote identifiers.
- Clear page, object, and CDN caches after patching so old localized nonce or JavaScript data is not reused.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm CorvusPay WooCommerce Payment Gateway is not running version 2.7.4 or older.
- Test the affected action as a subscriber or unauthenticated user in staging and confirm the request is rejected.
- Verify legitimate administrator or shop-manager workflows still work after the update.
- Review recent content, labels, quotes, orders, or settings for unauthorized changes.
- Run a Fixnx scan and confirm public WordPress exposure signals have been rechecked.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-9028?
CorvusPay WooCommerce Payment Gateway versions listed as affected should be reviewed: CorvusPay WooCommerce Payment Gateway up to and including 2.7.4.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
