CVE-2026-7862: Critical Unauthenticated Refund Vulnerability in Eupago WooCommerce Plugin
A flaw in the Eupago Gateway For WooCommerce plugin (versions before 4.7.2) allows anyone on the internet to process refunds on any order without logging in. Attackers can exploit this to steal money by redirecting refunds to accounts they control. The vulnerability stems from missing access controls on the refund handler.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
- Weaknesses (CWE)
- CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7862 is an improper access control vulnerability (CWE-284) in the Eupago Gateway For WooCommerce plugin affecting versions prior to 4.7.2. The refund request handler lacks authentication and authorization checks, permitting unauthenticated attackers to invoke refund operations against arbitrary WooCommerce orders using the merchant's stored payment gateway credentials. For payment methods supporting fund redirection, attackers can modify the destination bank account to siphon refunded amounts to attacker-controlled accounts.
Business impact
This vulnerability poses significant financial risk to WooCommerce merchants using Eupago. Attackers can drain funds by issuing fraudulent refunds to themselves, bypassing normal transaction controls. Beyond direct financial loss, compromised merchants face customer disputes, chargeback fees, potential processor sanctions, and reputational damage. The attack requires no authentication or user interaction, making it trivially exploitable at scale.
Affected systems
The Eupago Gateway For WooCommerce WordPress plugin in versions before 4.7.2 is vulnerable. WooCommerce storefronts integrating this payment gateway are at risk. The vulnerability is network-accessible and affects all affected installations regardless of security posture, provided the plugin remains unpatched.
Exploitability
This vulnerability is highly exploitable. It requires no authentication, no special privileges, and no user interaction. An attacker needs only network access and knowledge of target WooCommerce order IDs (often sequential or discoverable). The attack can be automated and executed repeatedly. The low CVSS attack complexity (AC:L) and lack of privileges required (PR:N) reflect this ease of exploitation.
Remediation
Merchants must immediately update the Eupago Gateway For WooCommerce plugin to version 4.7.2 or later. Verify the update through the WordPress plugin dashboard or directly with Eupago. As an interim mitigation before patching, consider disabling the plugin or restricting refund capabilities through WooCommerce settings if operationally feasible. Monitor recent transactions for suspicious refund activity.
Patch guidance
Update the Eupago Gateway For WooCommerce plugin to 4.7.2 or higher. Access WordPress admin > Plugins > check for updates, or manually upload the patched version. Test in a staging environment first to confirm payment processing continues normally. After deployment, verify the refund handler now enforces proper authentication by attempting unauthorized refund requests (which should now fail).
Detection guidance
Monitor WooCommerce refund logs and payment gateway activity for: refunds initiated outside normal business patterns, refunds processed to unfamiliar bank accounts, refund requests with no corresponding admin user action, and HTTP requests to the refund handler endpoint lacking valid session or nonce tokens. Enable detailed logging on the Eupago plugin if available. Review transaction reports from your payment processor for anomalies. Correlate refund timestamps with web server access logs to identify attacker IP ranges.
Why prioritize this
This vulnerability merits urgent patching due to its high CVSS score (8.6), trivial exploitability (no authentication required), and direct financial impact. It enables attackers to steal money from any WooCommerce store using Eupago without barriers. The lack of exploitation barriers and high-impact nature make this a critical risk for any affected merchant.
Risk score, explained
The CVSS 3.1 score of 8.6 (HIGH) reflects: network-based attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), limited confidentiality impact through potential access to order data (C:L), high integrity impact from unauthorized refunds and account redirection (I:H), and low availability impact if refund abuse disrupts service (A:L). The score appropriately captures the severity of unauthenticated fund theft.
Frequently asked questions
How do I know if my WooCommerce store was attacked via this vulnerability?
Check your WooCommerce refund reports and payment processor statements for refunds you do not recognize. Review logs for refunds marked as processed but with no corresponding admin action or timestamp anomalies. Contact Eupago support with transaction details to verify if refunds were initiated through the vulnerable handler. Compare refund destination accounts against your expected merchant accounts.
Is updating the plugin enough, or do I need to check my payment processor account?
Update immediately, then contact your payment processor (bank or payment gateway) to review recent refund activity and confirm no unauthorized transactions occurred. Ask about transaction rollback if fraudulent refunds were processed. Update the plugin to prevent future exploitation, but independently verify your financial accounts for past compromise.
Does this vulnerability affect WooCommerce itself or only the Eupago plugin?
This vulnerability is specific to the Eupago Gateway For WooCommerce plugin and does not affect WooCommerce core. Only merchants using the Eupago plugin are at risk. Other payment gateway plugins are unaffected unless they contain similar access control flaws.
Can I use a firewall rule to block this attack while waiting to patch?
Partially. You could restrict access to the WooCommerce refund endpoint by IP or require additional authentication headers, but this is not a reliable primary defense. Proper patching is essential and should be prioritized. Firewall rules can serve as a temporary supplementary measure only while you stage and test the patch.
This analysis is provided for informational purposes and reflects the state of CVE-2026-7862 as of the published date. Verify all patch version numbers and deployment steps against official Eupago and WordPress security advisories before implementing. Security teams should conduct independent testing in non-production environments. SEC.co makes no warranty regarding the completeness or accuracy of third-party plugin security claims and recommends consulting vendor documentation for definitive remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-22426HIGHAndroid ComputerEngine URI Escalation Privilege Vulnerability
- CVE-2026-32995HIGHRocket.Chat DDP Authentication Bypass Exposes All Private Messages
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-37235HIGHFlexRIC E42 Message Authentication Bypass – RIC Denial of Service
- CVE-2026-40715HIGHDell ThinOS 10 Privilege Escalation Vulnerability
- CVE-2026-45296HIGHOpenReplay Multi-Tenant Authorization Bypass – Session Data Exposure
- CVE-2026-45707HIGHn8n-MCP Multi-Tenant Privilege Escalation (CVSS 8.1 HIGH)
- CVE-2026-46818HIGHOracle E-Business Suite Payments File Transmission Vulnerability (CVSS 7.4)