CVE-2026-5050
Published: 16 April 2026
Summary
CVE-2026-5050 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the improper cryptographic signature verification flaw in the plugin.
Mandates implementation of cryptographic mechanisms to verify the Ds_Signature in payment callbacks, preventing forgery of payment status updates.
Requires validation of information inputs such as payment callback data, including cryptographic signature checks to block forged requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing WordPress payment plugin allows remote unauthenticated attackers to forge callback data and bypass signature verification to manipulate order status, directly enabling exploitation of public-facing applications.
NVD Description
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the…
more
request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service fulfillment without a successful payment.
Deeper analysisAI
CVE-2026-5050 is an Improper Verification of Cryptographic Signature vulnerability (CWE-347) in the Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress, affecting versions up to and including 7.0.0. The issue resides in the successful_request() handlers, which calculate a local signature but fail to validate the Ds_Signature provided in requests before accepting payment status updates across the Redsys, Bizum, and Google Pay gateway flows. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely by forging payment callback data, provided they know a valid order key and order amount for a pending order. Successful exploitation allows attackers to mark these orders as paid without an actual payment, enabling unauthorized completion of checkout processes and potential fulfillment of products or services.
Mitigation details are outlined in the referenced advisories, including a patch in WordPress plugin trac changeset 3501998 at https://plugins.trac.wordpress.org/changeset/3501998/woo-redsys-gateway-light and further analysis from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/80544889-8efc-4aa0-a690-774b1ee6a1a0?source=cve. Security practitioners should update to a patched version of the plugin to address the signature validation flaw.
Details
- CWE(s)