Platform
wordpress
Component
woocommerce-for-japan
Opgelost in
2.8.5
CVE-2026-1305 is an improper authentication vulnerability discovered in the Japanized for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to manipulate order statuses, potentially leading to fraudulent transactions. The vulnerability affects versions up to 2.8.4, and a patch is available in version 2.8.5.
The primary impact of CVE-2026-1305 is the potential for fraudulent order processing. An attacker can craft a malicious POST request to the Paidy webhook endpoint, bypassing the payment verification process. This allows them to mark orders as "Processing" or "Completed" without any actual payment being received. This can result in significant financial losses for merchants and damage to their reputation. The lack of authentication means that any attacker with network access to the WordPress site can potentially exploit this vulnerability, increasing the overall blast radius.
CVE-2026-1305 was publicly disclosed on 2026-02-27. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is likely to be medium, given the ease of exploitation (simple POST request) and the potential impact (financial fraud). It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Japanized for WooCommerce plugin, particularly those integrated with Paidy for payment processing, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r 'paidy_webhook_permission_check' /var/www/html/wp-content/plugins/japanized-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/japanized-for-woocommerce/ | grep -i 'signature'disclosure
Exploit Status
EPSS
0.30% (53% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1305 is to immediately upgrade the Japanized for WooCommerce plugin to version 2.8.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the Paidy webhook endpoint that lack the expected signature header. Additionally, review and strengthen the Paidy webhook implementation to ensure robust authentication checks are in place. After upgrading, verify the fix by attempting to manually trigger the webhook with a missing signature header to confirm that the authentication check is now enforced.
Update naar versie 2.8.5, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1305 is a vulnerability in Japanized for WooCommerce allowing attackers to bypass payment verification and manipulate order statuses without payment.
If you are using Japanized for WooCommerce versions 0.0.0–2.8.4, you are potentially affected by this vulnerability.
Upgrade Japanized for WooCommerce to version 2.8.5 or later to resolve this improper authentication vulnerability.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the Japanized for WooCommerce plugin documentation and website for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.