CVE-2020-8819
published 2020-02-25CVE-2020-8819: An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function…
PriorityP359high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
4.54%
90.4th percentile
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cardgate | cardgate_payments | <= 3.1.15 | — |
| cardgate | woocommerce | >= 0 < 3.1.16 | 3.1.16 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CardGate Payments plugin for WooCommerce does not validate request origin
osv·2022-05-24
CVE-2020-8819 [HIGH] CardGate Payments plugin for WooCommerce does not validate request origin
CardGate Payments plugin for WooCommerce does not validate request origin
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
GHSA
CardGate Payments plugin for WooCommerce does not validate request origin
ghsa·2022-05-24
CVE-2020-8819 [HIGH] CWE-346 CardGate Payments plugin for WooCommerce does not validate request origin
CardGate Payments plugin for WooCommerce does not validate request origin
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
No detection rules found.
http://packetstormsecurity.com/files/156504/WordPress-WooCommerce-CardGate-Payment-Gateway-3.1.15-Bypass.htmlhttps://github.com/cardgate/woocommerce/blob/f2111af7b1a3fd701c1c5916137f3ac09482feeb/cardgate/cardgate.php#L426-L442https://github.com/cardgate/woocommerce/issues/18https://wpvulndb.com/vulnerabilities/10097https://www.exploit-db.com/exploits/48134http://packetstormsecurity.com/files/156504/WordPress-WooCommerce-CardGate-Payment-Gateway-3.1.15-Bypass.htmlhttps://github.com/cardgate/woocommerce/blob/f2111af7b1a3fd701c1c5916137f3ac09482feeb/cardgate/cardgate.php#L426-L442https://github.com/cardgate/woocommerce/issues/18https://wpvulndb.com/vulnerabilities/10097https://www.exploit-db.com/exploits/48134
2020-02-25
Published