CVE-2018-20782

An unauthenticated remote attacker sends a crafted HTTP POST request to the IPN callback endpoint with parameters `id`, `status` (set to `completed`), and `custom_payment_id` (set to the target order ID) [ref_id=1]. The plugin accepts these untrusted inputs without verifying their authenticity via HMAC or any cryptographic signature, allowing the attacker to spoof a payment-completed status for any order [ref_id=1]. No administrative rights or prior authentication are required.

The vulnerable code resides in the `ipn_callback()` function of `src/Gateway.php` at line 374 [ref_id=1]. The plugin mishandles IPN messages by relying on untrusted inputs without cryptographic authentication.

The advisory does not include a patch diff, but the vendor released version 1.1.2 to address the issue [ref_id=1]. The fix would need to add cryptographic authentication (e.g., HMAC verification) to the IPN callback so that only legitimate GloBee server messages are accepted, and to validate that the payment status corresponds to a genuine transaction before updating the order.

1. Initiate a checkout on the vulnerable WooCommerce store and select GloBee cryptocurrency payment to obtain a payment link (e.g., `https://globee.com/en/payment-request/XXXXXXXXXXXXXXXXXXXXXX`). 2. Extract the payment ID from the link and note the order ID assigned by WooCommerce. 3. Send a POST request to the IPN callback endpoint with payload `id=