Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-8819Origin Validation Error in Woocommerce

CWE-346Origin Validation Error6 documents6 sources
Severity
8.1HIGHNVD
EPSS
0.3%
top 49.12%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Cardgate WoocommerceCardgate Payments
Timeline
PublishedFeb 25
Latest updateMay 24

Description

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

Packagistcardgate/woocommerce< 3.1.16

🔴Vulnerability Details

3
OSV
CardGate Payments plugin for WooCommerce does not validate request origin2022-05-24
GHSA
CardGate Payments plugin for WooCommerce does not validate request origin2022-05-24
CVEList
CVE-2020-8819: An issue was discovered in the CardGate Payments plugin through 32020-02-25

💥Exploits & PoCs

1
Exploit-DB
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass2020-02-25

💬Community

1
Bugzilla
CVE-2019-8819 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution2020-09-07
CVE-2020-8819 — Origin Validation Error in Woocommerce | cvebase