VYPR
Medium severity5.3NVD Advisory· Published Feb 27, 2026· Updated Apr 15, 2026

CVE-2026-1305

CVE-2026-1305

Description

The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the paidy_webhook_permission_check function that unconditionally returns true when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" without actual payment via a crafted POST request to the Paidy webhook endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.