CVE-2026-7862

Vulnerability

The Eupago Gateway For Woocommerce WordPress plugin versions before 4.7.2 fails to properly restrict access to its refund request handler. This allows any unauthenticated visitor to trigger a refund against any WooCommerce order without the merchant's authorization, using the merchant's stored payment gateway credentials. The vulnerability is present in all plugin versions prior to the 4.7.2 release [1].

Exploitation

An unauthenticated attacker needs only network access to a WooCommerce site running the vulnerable plugin. No authentication or prior access is required. The attacker can send a crafted request to the refund handler endpoint, specifying any existing WooCommerce order ID. For payment methods that support refund redirection, the attacker can also specify an attacker-controlled bank account to receive the refunded funds [1].

Impact

Successful exploitation allows an unauthenticated attacker to drain merchant funds by initiating fraudulent refunds. For supported payment methods, the funds can be redirected to an attacker-controlled bank account, resulting in direct financial loss. The attacker can target any order in the WooCommerce system, regardless of its original payer or status [1].

Mitigation

The vulnerability is fixed in version 4.7.2 of the plugin, released on or around 2026-05-07. All users should update to this version or later immediately. As of the publication date, there is no known workaround for sites that cannot upgrade. The vulnerability is publicly disclosed and has been added to the WPScan vulnerability database [1].