{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1305", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-21T19:03:56.817Z", "datePublished": "2026-02-27T09:23:43.326Z", "dateUpdated": "2026-04-08T17:06:07.194Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:07.194Z"}, "affected": [{"vendor": "shoheitanaka", "product": "Japanized for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as \"Processing\" or \"Completed\" without actual payment via a crafted POST request to the Paidy webhook endpoint."}], "title": "Japanized for WooCommerce <= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cef4b2b-ae8d-4e18-b763-6960a0b944f7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"}, {"url": "https://plugins.trac.wordpress.org/changeset/3464868/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-287 Improper Authentication", "cweId": "CWE-287", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-01-21T19:19:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-26T21:04:26.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T15:39:13.780413Z", "id": "CVE-2026-1305", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:39:31.362Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T15:39:13.780413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:39:23.080Z"}}], "cna": {"title": "Japanized for WooCommerce <= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "shoheitanaka", "product": "Japanized for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-21T19:19:12.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-26T21:04:26.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cef4b2b-ae8d-4e18-b763-6960a0b944f7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"}, {"url": "https://plugins.trac.wordpress.org/changeset/3464868/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php"}], "descriptions": [{"lang": "en", "value": "The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as \"Processing\" or \"Completed\" without actual payment via a crafted POST request to the Paidy webhook endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:07.194Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1305", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:07.194Z", "dateReserved": "2026-01-21T19:03:56.817Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-27T09:23:43.326Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as \"Processing\" or \"Completed\" without actual payment via a crafted POST request to the Paidy webhook endpoint."}, {"lang": "es", "value": "El plugin Japanized para WooCommerce para WordPress es vulnerable a una autenticaci\u00f3n incorrecta en versiones hasta la 2.8.4, inclusive. Esto se debe a una verificaci\u00f3n de permisos defectuosa en la funci\u00f3n `paidy_webhook_permission_check` que devuelve `true` incondicionalmente cuando se omite el encabezado de firma del webhook. Esto permite a atacantes no autenticados omitir la verificaci\u00f3n de pago y marcar fraudulentamente pedidos como 'En procesamiento' o 'Completado' sin pago real, mediante una solicitud POST manipulada al punto final del webhook de Paidy."}], "id": "CVE-2026-1305", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-27T10:16:21.863", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3464868/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cef4b2b-ae8d-4e18-b763-6960a0b944f7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Japanized for WooCommerce", "source": "cna", "vendor": "shoheitanaka"}, "product": "japanized_for_woocommerce", "vendor": "shoheitanaka"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:01:29.059946+00:00", "value": {"mitigation_remediation": ["Upgrade the \"Japanized for WooCommerce\" plugin to the latest version (at least 2.8.5) where the permission check has been corrected.", "If an update is not yet available, disable the Paidy webhook endpoint or implement server\u2011side access controls that ensure the signature header is required and validated before processing the request.", "Deploy application\u2011level or network\u2011layer firewall rules to restrict POST traffic to the webhook URL to known IPs or authenticated sessions, mitigating the risk of unauthenticated manipulation."], "summary": {"action": "Patch immediately", "impact": "Unauthorized order status manipulation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin \"Japanized for WooCommerce\" by shoheitanaka, versions up to and including 2.8.4. All installations running these or older releases are susceptible, regardless of the WooCommerce version. No other products are listed as impacted.", "description_and_impact": "The Japanized for WooCommerce plugin contains an improper authentication flaw whereby the function handling the Paidy webhook bypasses permission checks when the signature header is absented. This flaw allows an unauthenticated user to send a crafted HTTP POST request to the webhook endpoint and alter an order\u2019s status to Processing or Completed without actual payment. The resulting compromise is a fraud scenario in which goods or services are released to a non\u2011paying party, directly impacting the merchant\u2019s financial integrity. The attack is conducted from outside the site; the attacker only requires network access to the webhook URL and knowledge of the order ID and desired status. The flaw is a classic example of CWE\u2011287, Improper Authentication.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, and the EPSS value of <1% reflects a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting that no widespread, actively observed exploitation has been reported. Nevertheless, the flaw provides a direct path to fraud without requiring any privileged credentials or additional system access. An attacker who can reach the webhook endpoint can change order status in real\u2011time, potentially causing immediate financial loss and reputational damage."}}}}, "created": "2026-02-27T16:05:50.745601+00:00", "updated": "2026-04-15T18:15:10.809820+00:00", "vendors": ["shoheitanaka", "shoheitanaka$PRODUCT$japanized_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}