Eupago Gateway For Woocommerce < 4.7.2 – Unauthenticated Arbitrary Refund Initiation | CVE 2026-7862

Description

The plugin does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.

Proof of Concept

The PoC will be displayed on June 04, 2026, to give users the time to update.

Affects Plugins

eupago-gateway-for-woocommerce

Fixed in 4.7.2

References

CVE

CVE-2026-7862

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Pedro Pinho

Submitter

Pedro Pinho

Verified

Yes

WPVDB ID

b4ce2a06-b435-4b77-851f-4406f2a91ca6

Timeline

Publicly Published

2026-05-07 (about 21 days ago)

Added

2026-05-07 (about 20 days ago)

Last Updated

2026-05-26 (about 1 day ago)

Other

Published

Title

Published

2022-01-03

Title

TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update

Published

2024-03-19

Title

Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access

Published

2025-07-03

Title

DocCheck Login < 1.1.6 - Unauthorized Post Access

Published

2021-10-19

Title

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation

Published

2024-02-06

Title

AMP for WP < 1.0.93.2 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data