Cyber Resilience

CVE-2026-0692

High

Published: 14 February 2026

Published
14 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0012 30.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0692 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-0692 is a Missing Authorization vulnerability (CWE-862) affecting the BlueSnap Payment Gateway for WooCommerce plugin for WordPress in all versions up to and including 3.4.0. The issue stems from the plugin's reliance on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate Instant Payment Notification (IPN) requests against an IP allowlist. This function trusts user-controllable HTTP headers such as X-Real-IP and X-Forwarded-For to determine the client IP address, enabling bypass of the intended restrictions. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges required. By spoofing a whitelisted BlueSnap IP address in the manipulable headers and sending forged IPN data to the plugin's webhook endpoint, attackers can manipulate WooCommerce order statuses. Possible actions include marking orders as paid, failed, refunded, or on-hold without legitimate authorization from BlueSnap, potentially leading to financial fraud or disruption of e-commerce operations.

References include Wordfence's threat intelligence advisory detailing the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/dc676e18-c895-4f6a-bce9-1f92207af885?source=cve) and WordPress plugin trac repositories highlighting the vulnerable code at line 417 in `class-wc-bluesnap-ipn-webhooks.php` for both the 3.4.0 tag (https://plugins.trac.wordpress.org/browser/bluesnap-payment-gateway-for-woocommerce/tags/3.4.0/includes/class-wc-bluesnap-ipn-webhooks.php#L417) and trunk (https://plugins.trac.wordpress.org/browser/bluesnap-payment-gateway-for-woocommerce/trunk/includes/class-wc-bluesnap-ipn-webhooks.php#L417), indicating the need for updates beyond version 3.4.0 to address the authorization flaw.

EU & UK References

Vulnerability details

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable…

more

headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The missing authorization flaw directly enables exploitation of a public-facing WordPress plugin webhook endpoint to bypass IP allowlisting and manipulate order states.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthenticated attackers from bypassing IP allowlist and manipulating order statuses.

prevent

Validates untrusted HTTP headers like X-Forwarded-For and IPN payloads to block spoofed whitelisted IPs and forged data.

prevent

Monitors and controls inbound webhook traffic at boundaries using network-layer source IP validation to mitigate header spoofing.

References