CVE-2026-0692
Published: 14 February 2026
Summary
CVE-2026-0692 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-0692 is a Missing Authorization vulnerability (CWE-862) affecting the BlueSnap Payment Gateway for WooCommerce plugin for WordPress in all versions up to and including 3.4.0. The issue stems from the plugin's reliance on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate Instant Payment Notification (IPN) requests against an IP allowlist. This function trusts user-controllable HTTP headers such as X-Real-IP and X-Forwarded-For to determine the client IP address, enabling bypass of the intended restrictions. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges required. By spoofing a whitelisted BlueSnap IP address in the manipulable headers and sending forged IPN data to the plugin's webhook endpoint, attackers can manipulate WooCommerce order statuses. Possible actions include marking orders as paid, failed, refunded, or on-hold without legitimate authorization from BlueSnap, potentially leading to financial fraud or disruption of e-commerce operations.
References include Wordfence's threat intelligence advisory detailing the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/dc676e18-c895-4f6a-bce9-1f92207af885?source=cve) and WordPress plugin trac repositories highlighting the vulnerable code at line 417 in `class-wc-bluesnap-ipn-webhooks.php` for both the 3.4.0 tag (https://plugins.trac.wordpress.org/browser/bluesnap-payment-gateway-for-woocommerce/tags/3.4.0/includes/class-wc-bluesnap-ipn-webhooks.php#L417) and trunk (https://plugins.trac.wordpress.org/browser/bluesnap-payment-gateway-for-woocommerce/trunk/includes/class-wc-bluesnap-ipn-webhooks.php#L417), indicating the need for updates beyond version 3.4.0 to address the authorization flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6072
Vulnerability details
The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable…
more
headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization flaw directly enables exploitation of a public-facing WordPress plugin webhook endpoint to bypass IP allowlisting and manipulate order states.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent unauthenticated attackers from bypassing IP allowlist and manipulating order statuses.
Validates untrusted HTTP headers like X-Forwarded-For and IPN payloads to block spoofed whitelisted IPs and forged data.
Monitors and controls inbound webhook traffic at boundaries using network-layer source IP validation to mitigate header spoofing.