Redsys & WooCommerce Flaw Allows Payment Forgery
The National Vulnerability Database (NVD) has flagged a critical vulnerability, CVE-2026-5050, impacting the Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress. This flaw, present in versions up to and including 7.0.0, stems from an improper verification of cryptographic signatures within the plugin’s successful_request() handlers.
According to the NVD, the plugin calculates a local signature but crucially fails to validate the Ds_Signature from the incoming request. This oversight affects payment status acceptance across Redsys, Bizum, and Google Pay gateway flows. The upshot? An unauthenticated attacker, if they possess a valid order key and order amount, can forge payment callback data. This allows them to mark pending orders as paid, potentially enabling checkout completion and product fulfillment without a legitimate payment ever occurring. This is a nasty one, rated with a CVSS score of 7.5 (HIGH), falling under CWE-347 (Improper Verification of Cryptographic Signature).
What This Means For You
- If your environment is affected by CWE-347, patch immediately and audit logs for signs of exploitation. Monitor vendor advisories for CVE-2026-5050 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rules · 6 SIEM formats1 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Redsys & WooCommerce Lite Payment Forgery - CVE-2026-5050
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5050 | Auth Bypass | Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress <= 7.0.0 |
| CVE-2026-5050 | Improper Verification of Cryptographic Signature | successful_request() handlers in Payment Gateway for Redsys & WooCommerce Lite plugin |
| CVE-2026-5050 | Auth Bypass | Forging payment callback data to mark pending orders as paid via Redsys, Bizum, and Google Pay gateway flows |
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 16, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-41254 — Integer Overflow
CVE-2026-41254 — Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
CVE-2026-41253 — Code Execution
CVE-2026-41253 — In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory...
Mirai Botnet Variants Target TBK DVRs via CVE-2024-3721
Mirai botnet variants, including Nexcorium, are actively exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR devices. This flaw, rated medium severity, allows attackers to...