CVE-2026-56029 - Vulnerability Details - OpenCVE

Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Corvuspay	Woocommerce Payment Gateway
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/corvuspay-woocommerce-integration/vulnerability/wordpress-corvuspay-woocommerce-payment-gateway-plugin-2-7-4-broken-authentication-vulnerability?_s_id=cve

History

Mon, 29 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Corvuspay Corvuspay woocommerce Payment Gateway Wordpress Wordpress wordpress
Vendors & Products		Corvuspay Corvuspay woocommerce Payment Gateway Wordpress Wordpress wordpress

Fri, 26 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.
Title		WordPress CorvusPay WooCommerce Payment Gateway plugin <= 2.7.4 - Broken Authentication vulnerability
Weaknesses		CWE-288
References		https://patchstack.com/database/wordpress/plugin/corvuspay-woocommerce-integration/vulnerability/wordpress-corvuspay-woocommerce-payment-gateway-plugin-2-7-4-broken-authentication-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-06-26T14:52:33.630Z

Updated: 2026-06-26T20:18:33.762Z

Reserved: 2026-06-18T14:37:29.429Z

Link: CVE-2026-56029

Vulnrichment

Updated: 2026-06-26T20:18:29.212Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-56029", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-06-18T14:37:29.429Z", "datePublished": "2026-06-26T14:52:33.630Z", "dateUpdated": "2026-06-26T20:18:33.762Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-06-26T14:52:33.630Z"}, "title": "WordPress CorvusPay WooCommerce Payment Gateway plugin <= 2.7.4 - Broken Authentication vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "CAPEC-50 Password Recovery Exploitation"}]}], "affected": [{"vendor": "corvuspay", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "corvuspay-woocommerce-integration", "product": "CorvusPay WooCommerce Payment Gateway", "versions": [{"lessThanOrEqual": "2.7.4", "status": "affected", "version": "n/a", "versionType": "custom", "changes": [{"at": "2.7.5", "status": "unaffected"}]}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions."}], "value": "Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions."}], "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/corvuspay-woocommerce-integration/vulnerability/wordpress-corvuspay-woocommerce-payment-gateway-plugin-2-7-4-broken-authentication-vulnerability?_s_id=cve"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the WordPress CorvusPay WooCommerce Payment Gateway Plugin to the latest available version (at least 2.7.5)."}], "value": "Update the WordPress CorvusPay WooCommerce Payment Gateway Plugin to the latest available version (at least 2.7.5)."}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "ParkHyunWoo | Patchstack Bug Bounty Program"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T20:13:45.575849Z", "id": "CVE-2026-56029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T20:18:33.762Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-56029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T20:13:45.575849Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T20:18:29.212Z"}}], "cna": {"title": "WordPress CorvusPay WooCommerce Payment Gateway plugin <= 2.7.4 - Broken Authentication vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "ParkHyunWoo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "CAPEC-50 Password Recovery Exploitation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "corvuspay", "product": "CorvusPay WooCommerce Payment Gateway", "versions": [{"status": "affected", "changes": [{"at": "2.7.5", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "2.7.4"}], "packageName": "corvuspay-woocommerce-integration", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress CorvusPay WooCommerce Payment Gateway Plugin to the latest available version (at least 2.7.5).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress CorvusPay WooCommerce Payment Gateway Plugin to the latest available version (at least 2.7.5).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/corvuspay-woocommerce-integration/vulnerability/wordpress-corvuspay-woocommerce-payment-gateway-plugin-2-7-4-broken-authentication-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.", "supportingMedia": [{"type": "text/html", "value": "Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-06-26T14:52:33.630Z"}}}, "cveMetadata": {"cveId": "CVE-2026-56029", "state": "PUBLISHED", "dateUpdated": "2026-06-26T20:18:33.762Z", "dateReserved": "2026-06-18T14:37:29.429Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-06-26T14:52:33.630Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}