Japanized for WooCommerce <= 2.8.4 - Ontbrekende Authenticatie voor Ongemachtigde Paidy Order Manipulatie
Platform
wordpress
Component
woocommerce-for-japan
Opgelost in
2.8.5
CVE-2026-1305 is an improper authentication vulnerability discovered in the Japanized for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to manipulate order statuses, potentially leading to fraudulent transactions. The vulnerability affects versions up to 2.8.4, and a patch is available in version 2.8.5.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The primary impact of CVE-2026-1305 is the potential for fraudulent order processing. An attacker can craft a malicious POST request to the Paidy webhook endpoint, bypassing the payment verification process. This allows them to mark orders as "Processing" or "Completed" without any actual payment being received. This can result in significant financial losses for merchants and damage to their reputation. The lack of authentication means that any attacker with network access to the WordPress site can potentially exploit this vulnerability, increasing the overall blast radius.
Uitbuitingscontextwordt vertaald…
CVE-2026-1305 was publicly disclosed on 2026-02-27. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is likely to be medium, given the ease of exploitation (simple POST request) and the potential impact (financial fraud). It is not currently listed on the CISA KEV catalog.
Wie Loopt Risicowordt vertaald…
WordPress sites utilizing the Japanized for WooCommerce plugin, particularly those integrated with Paidy for payment processing, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'paidy_webhook_permission_check' /var/www/html/wp-content/plugins/japanized-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/japanized-for-woocommerce/ | grep -i 'signature'Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.30% (53% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 10KBekend
- Plugin-beoordeling
- 3.3
- Vereist WordPress
- 6.7+
- Compatibel tot
- 6.9.4
- Vereist PHP
- 8.3+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-1305 is to immediately upgrade the Japanized for WooCommerce plugin to version 2.8.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the Paidy webhook endpoint that lack the expected signature header. Additionally, review and strengthen the Paidy webhook implementation to ensure robust authentication checks are in place. After upgrading, verify the fix by attempting to manually trigger the webhook with a missing signature header to confirm that the authentication check is now enforced.
Hoe te verhelpen
Update naar versie 2.8.5, of een nieuwere gepatchte versie
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-1305 — Improper Authentication in Japanized for WooCommerce?
CVE-2026-1305 is a vulnerability in Japanized for WooCommerce allowing attackers to bypass payment verification and manipulate order statuses without payment.
Am I affected by CVE-2026-1305 in Japanized for WooCommerce?
If you are using Japanized for WooCommerce versions 0.0.0–2.8.4, you are potentially affected by this vulnerability.
How do I fix CVE-2026-1305 in Japanized for WooCommerce?
Upgrade Japanized for WooCommerce to version 2.8.5 or later to resolve this improper authentication vulnerability.
Is CVE-2026-1305 being actively exploited?
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Where can I find the official Japanized for WooCommerce advisory for CVE-2026-1305?
Refer to the Japanized for WooCommerce plugin documentation and website for the official advisory and update information.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.