Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Japanized for WooCommerce Plugin Allows Unpaid Orders to be Marked as Paid
CVE-2026-1305
Summary
The Japanized for WooCommerce plugin for WordPress has a security flaw that allows hackers to pretend to pay for orders without actually paying. This can lead to financial losses and damaged customer trust. Update the plugin to the latest version (2.8.5 or higher) to fix the issue.
Original title
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_p...
Original description
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" without actual payment via a crafted POST request to the Paidy webhook endpoint.
nvd CVSS3.1
5.3
Vulnerability type
CWE-287
Improper Authentication
- https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/incl...
- https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/incl...
- https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/...
- https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/...
- https://plugins.trac.wordpress.org/changeset/3464868/woocommerce-for-japan/trunk...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8cef4b2b-ae8d-4e18-b76...
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026