{"api_version":"1","generated_at":"2026-07-11T22:41:48+00:00","cve":"CVE-2026-9028","urls":{"html":"https://cve.report/CVE-2026-9028","api":"https://cve.report/api/cve/CVE-2026-9028.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9028","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9028"},"summary":{"title":"CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Missing Authorization to Unauthenticated Arbitrary Order Cancellation via 'order_number' Parameter","description":"The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to cancel any WooCommerce order placed via the CorvusPay payment method by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST endpoint.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-07-09 11:16:42","updated_at":"2026-07-09 16:19:45"},"problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-gateway-corvuspay.php#L792","name":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-gateway-corvuspay.php#L792","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset?reponame=&old=3576949%40corvuspay-woocommerce-integration&new=3576949%40corvuspay-woocommerce-integration","name":"https://plugins.trac.wordpress.org/changeset?reponame=&old=3576949%40corvuspay-woocommerce-integration&new=3576949%40corvuspay-woocommerce-integration","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/402f1f9f-35c7-4304-891b-a07f3e84c189?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/402f1f9f-35c7-4304-891b-a07f3e84c189?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-gateway-corvuspay.php#L206","name":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-gateway-corvuspay.php#L206","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-gateway-corvuspay.php#L792","name":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-gateway-corvuspay.php#L792","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-order-corvuspay.php#L172","name":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-order-corvuspay.php#L172","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-order-corvuspay.php#L172","name":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-order-corvuspay.php#L172","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-gateway-corvuspay.php#L206","name":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-gateway-corvuspay.php#L206","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9028","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9028","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"corvusinfo","product":"CorvusPay WooCommerce Payment Gateway","version":"affected 2.7.4 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-07-08T20:43:04.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Valatty","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"9028","cve":"CVE-2026-9028","epss":"0.002880000","percentile":"0.206840000","score_date":"2026-07-10","updated_at":"2026-07-11 00:11:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-9028","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-09T12:18:29.119295Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-09T12:18:39.132Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"CorvusPay WooCommerce Payment Gateway","vendor":"corvusinfo","versions":[{"lessThanOrEqual":"2.7.4","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Valatty"}],"descriptions":[{"lang":"en","value":"The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to cancel any WooCommerce order placed via the CorvusPay payment method by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST endpoint."}],"metrics":[{"cvssV3_1":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-09T09:31:20.926Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/402f1f9f-35c7-4304-891b-a07f3e84c189?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-gateway-corvuspay.php#L792"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-gateway-corvuspay.php#L206"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.4/includes/class-wc-order-corvuspay.php#L172"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-gateway-corvuspay.php#L792"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-gateway-corvuspay.php#L206"},{"url":"https://plugins.trac.wordpress.org/browser/corvuspay-woocommerce-integration/tags/2.7.2/includes/class-wc-order-corvuspay.php#L172"},{"url":"https://plugins.trac.wordpress.org/changeset?reponame=&old=3576949%40corvuspay-woocommerce-integration&new=3576949%40corvuspay-woocommerce-integration"}],"timeline":[{"lang":"en","time":"2026-07-08T20:43:04.000Z","value":"Disclosed"}],"title":"CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Missing Authorization to Unauthenticated Arbitrary Order Cancellation via 'order_number' Parameter"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2026-9028","datePublished":"2026-07-09T09:31:20.926Z","dateReserved":"2026-05-19T15:24:07.965Z","dateUpdated":"2026-07-09T12:18:39.132Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-09 11:16:42","lastModifiedDate":"2026-07-09 16:19:45","problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-09T12:18:29.119295Z","id":"CVE-2026-9028","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9028","Ordinal":"1","Title":"CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Missing Authori","CVE":"CVE-2026-9028","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9028","Ordinal":"1","NoteData":"The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to cancel any WooCommerce order placed via the CorvusPay payment method by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST endpoint.","Type":"Description","Title":"CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Missing Authori"}]}}}