Medium severity5.3NVD Advisory· Published Feb 27, 2026· Updated Apr 15, 2026
CVE-2026-1305
CVE-2026-1305
Description
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the paidy_webhook_permission_check function that unconditionally returns true when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" without actual payment via a crafted POST request to the Paidy webhook endpoint.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.phpnvd
- plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.phpnvd
- plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.phpnvd
- plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.phpnvd
- plugins.trac.wordpress.org/changeset/3464868/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/8cef4b2b-ae8d-4e18-b763-6960a0b944f7nvd
News mentions
0No linked articles in our index yet.