平台
wordpress
组件
woocommerce-for-japan
修复版本
2.8.5
CVE-2026-1305 is an improper authentication vulnerability discovered in the Japanized for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to manipulate order statuses, potentially leading to fraudulent transactions. The vulnerability affects versions up to 2.8.4, and a patch is available in version 2.8.5.
The primary impact of CVE-2026-1305 is the potential for fraudulent order processing. An attacker can craft a malicious POST request to the Paidy webhook endpoint, bypassing the payment verification process. This allows them to mark orders as "Processing" or "Completed" without any actual payment being received. This can result in significant financial losses for merchants and damage to their reputation. The lack of authentication means that any attacker with network access to the WordPress site can potentially exploit this vulnerability, increasing the overall blast radius.
CVE-2026-1305 was publicly disclosed on 2026-02-27. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is likely to be medium, given the ease of exploitation (simple POST request) and the potential impact (financial fraud). It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Japanized for WooCommerce plugin, particularly those integrated with Paidy for payment processing, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r 'paidy_webhook_permission_check' /var/www/html/wp-content/plugins/japanized-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/japanized-for-woocommerce/ | grep -i 'signature'disclosure
漏洞利用状态
EPSS
0.30% (53% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-1305 is to immediately upgrade the Japanized for WooCommerce plugin to version 2.8.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the Paidy webhook endpoint that lack the expected signature header. Additionally, review and strengthen the Paidy webhook implementation to ensure robust authentication checks are in place. After upgrading, verify the fix by attempting to manually trigger the webhook with a missing signature header to confirm that the authentication check is now enforced.
更新到版本2.8.5,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-1305 is a vulnerability in Japanized for WooCommerce allowing attackers to bypass payment verification and manipulate order statuses without payment.
If you are using Japanized for WooCommerce versions 0.0.0–2.8.4, you are potentially affected by this vulnerability.
Upgrade Japanized for WooCommerce to version 2.8.5 or later to resolve this improper authentication vulnerability.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the Japanized for WooCommerce plugin documentation and website for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。