{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0679", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T17:46:57.526Z", "datePublished": "2026-02-04T08:25:31.970Z", "dateUpdated": "2026-04-08T17:11:54.036Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:54.036Z"}, "affected": [{"vendor": "fortispay", "product": "Fortis for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment."}], "title": "Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f16c098-3e99-4506-b517-ae4b838a0925?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/trunk/classes/WC_Gateway_Fortis.php#L1674"}, {"url": "https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/tags/1.2.0/classes/WC_Gateway_Fortis.php#L1674"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457351%40fortis-for-woocommerce&new=3457351%40fortis-for-woocommerce&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-02-03T19:44:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:51:27.427435Z", "id": "CVE-2026-0679", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:51:34.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:51:27.427435Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:51:31.532Z"}}], "cna": {"title": "Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "fortispay", "product": "Fortis for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T19:44:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f16c098-3e99-4506-b517-ae4b838a0925?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/trunk/classes/WC_Gateway_Fortis.php#L1674"}, {"url": "https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/tags/1.2.0/classes/WC_Gateway_Fortis.php#L1674"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457351%40fortis-for-woocommerce&new=3457351%40fortis-for-woocommerce&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:54.036Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0679", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:54.036Z", "dateReserved": "2026-01-07T17:46:57.526Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T08:25:31.970Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment."}, {"lang": "es", "value": "El plugin Fortis para WooCommerce para WordPress es vulnerable a la omisi\u00f3n de autorizaci\u00f3n debido a una verificaci\u00f3n de nonce invertida en la funci\u00f3n 'check_fortis_notify_response' en todas las versiones hasta la 1.2.0, inclusive. Esto permite a atacantes no autenticados actualizar estados de pedido arbitrarios de WooCommerce a pagado/en proceso/completado, lo que les permite efectivamente marcar pedidos como pagados sin realizar el pago."}], "id": "CVE-2026-0679", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T09:15:52.143", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/tags/1.2.0/classes/WC_Gateway_Fortis.php#L1674"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/trunk/classes/WC_Gateway_Fortis.php#L1674"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457351%40fortis-for-woocommerce&new=3457351%40fortis-for-woocommerce&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f16c098-3e99-4506-b517-ae4b838a0925?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:51:44.694494+00:00", "value": {"mitigation_remediation": ["Upgrade the Fortis for WooCommerce plugin to the latest version (\u22651.2.1) where the nonce check has been corrected.", "Ensure that any custom code or hooks that modify order status updates enforce proper authorization checks before allowing status changes.", "If an immediate upgrade is not possible, restrict unauthenticated access to the wc-api endpoint using server rules or a security plugin to prevent status changes without authentication."], "summary": {"action": "Patch Now", "impact": "Authorization bypass that allows unauthenticated users to change order status to paid"}, "threat_synthesis": {"affected_systems": "Affected installations are any sites running Fortis for WooCommerce version 1.2.0 or earlier, which is the last version containing the vulnerable code. The vendor, Fortispay, distributed the plugin through the WordPress plugin repository, and the flaw spans all releases up to and including 1.2.0. Site owners should verify the plugin version and upgrade accordingly.", "description_and_impact": "The Fortis for WooCommerce WordPress plugin contains an authorization bypass vulnerability due to an inverted nonce check in the check_fortis_notify_response function. This flaw permits unauthenticated attackers to modify WooCommerce order states, allowing them to set arbitrary orders to paid, processing, or completed without actually providing payment. As a result, attackers can fraudulently clear orders, causing financial loss and eroding trust in the e-commerce system. This weakness is classified as CWE-862: Missing Authorization.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity, while the EPSS score of less than 1% suggests a low exploitation likelihood at present. Because the flaw can be triggered by unauthenticated HTTP requests to the wc-api endpoint, attackers need only make a crafted request containing an order ID; no authentication or special privileges are required. The issue is not listed in CISA\u2019s KEV catalog, implying no confirmed exploitation reports yet, but the risk remains high for sites that expose the endpoint to the public internet."}}}}, "created": "2026-02-04T21:18:22.286563+00:00", "updated": "2026-04-15T19:00:12.283643+00:00", "vendors": ["fortispay", "fortispay$PRODUCT$fortis_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}