{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5050", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-27T16:53:47.167Z", "datePublished": "2026-04-16T05:29:53.590Z", "dateUpdated": "2026-04-16T05:29:53.590Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T05:29:53.590Z"}, "affected": [{"vendor": "jconti", "product": "Payment Gateway for Redsys & WooCommerce Lite", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment."}], "title": "Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80544889-8efc-4aa0-a690-774b1ee6a1a0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3501998/woo-redsys-gateway-light"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-347 Improper Verification of Cryptographic Signature", "cweId": "CWE-347", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Duc"}], "timeline": [{"time": "2026-03-27T18:37:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T16:43:26.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment."}], "id": "CVE-2026-5050", "lastModified": "2026-04-16T06:16:20.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T06:16:20.587", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3501998/woo-redsys-gateway-light"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80544889-8efc-4aa0-a690-774b1ee6a1a0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Payment Gateway for Redsys & WooCommerce Lite", "source": "cna", "vendor": "jconti"}, "product": "payment_gateway_for_redsys_&_woocommerce_lite", "vendor": "jconti"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T08:55:27.442429+00:00", "value": {"mitigation_remediation": ["Upgrade the Payment Gateway for Redsys & WooCommerce Lite plugin to the latest version, which removes the signature verification flaw.", "Implement or enable strict signature verification on the payment callback handling code to ensure the Ds_Signature matches the expected value before accepting the order status.", "Restrict access to the payment callback endpoint to known IP ranges or require additional authentication tokens to reduce the surface for unauthenticated manipulation."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated manipulation of payment status leading to fraudulent order fulfillment"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Payment Gateway for Redsys & WooCommerce Lite plugin in any version up to and including 7.0.0 are affected. Users of older WordPress installations that employ this plugin should check their installed version; any deployment using 7.0.0 or earlier is vulnerable.", "description_and_impact": "The plugin contains a flaw where the callback handler calculates a local cryptographic signature but fails to verify the Ds_Signature provided in the request. This allows an attacker who can guess a valid order key and amount to forge callback data that marks a pending order as paid, potentially enabling the completion of checkout and delivery of products or services without a legitimate payment. The weakness is a classic cryptographic signature verification failure (CWE-347).", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity vulnerability. An EPSS score is not available, so the likelihood of exploitation cannot be quantified here. The attack can be performed remotely by sending a crafted HTTP request to the payment callback endpoint; no authentication is required. The vulnerability is not listed in the CISA KEV catalog, but its impact on financial transactions makes it a priority for remediation. Without proper cryptographic signature validation, attackers can impersonate the payment gateway\u2019s response to the e\u2011commerce platform, turning unpaid orders into paid ones."}}}}, "created": "2026-04-16T09:00:05.291772+00:00", "updated": "2026-04-16T09:11:48.062532+00:00", "vendors": ["jconti", "jconti$PRODUCT$payment_gateway_for_redsys_&_woocommerce_lite", "wordpress", "wordpress$PRODUCT$wordpress"]}