Payment Gateway for Redsys & WooCommerce Lite plugin on WordPress allows fake payments

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Payment Gateway for Redsys & WooCommerce Lite plugin on WordPress allows fake payments

CVE-2026-5050

Summary

Versions of this WordPress plugin may allow attackers to fake payments and mark orders as paid without a real payment being made. This can lead to incorrect order fulfillment and financial loss. Update to the latest version to fix this issue.

Original title

Original description

The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.

nvd CVSS3.1 7.5

Vulnerability type

CWE-347 Improper Verification of Cryptographic Signature

Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026