WordPress Plugin Vulnerabilities
PhonePe Payment Solutions < 3.1.0 - Unauthenticated Payment Bypass via Forged Callback
Description
The plugin does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash of the request body that anyone can compute. This allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Akshat Parikh (SN1PER)
Submitter
Akshat Parikh (SN1PER)
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-26 (about 21 days ago)
Added
2026-06-26 (about 20 days ago)
Last Updated
2026-07-16 (about 9 hours ago)