Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund...

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Description

The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.

AI Analysis

Unauthenticated arbitrary refund initiation vulnerability in Eupago Gateway For Woocommerce plugin before 4.7.2

Basic Information

ID CVE-2026-7862

Source WPScan

Published May 28, 2026 at 06:00

Modified May 28, 2026 at 10:32

Affected Product

Vendor Unknown

Product Eupago Gateway For Woocommerce

Affected Versions Unknown Eupago Gateway For Woocommerce 0

CWE Classification

CWE-284

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Eupago

Product Eupago Gateway For Woocommerce

Version < 4.7.2

References

wpscan.com /vulnerability/b4ce2a06-b435-4b77-851f-4406f2a91ca6/

{
    "lastseen": "",
    "description": "The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.",
    "published": "2026-05-28T06:00:11.989Z",
    "modified": "2026-05-28T10:32:12.852Z",
    "type": "cve",
    "title": "Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/b4ce2a06-b435-4b77-851f-4406f2a91ca6/",
    "id": "CVE-2026-7862",
    "bulletinFamily": "",
    "cwe": [
        "",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Unknown Eupago Gateway For Woocommerce 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Eupago Gateway For Woocommerce",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "Unauthenticated arbitrary refund initiation vulnerability in Eupago Gateway For Woocommerce plugin before 4.7.2",
    "ai_severity": "High",
    "ai_vendor": "Eupago",
    "ai_product": "Eupago Gateway For Woocommerce",
    "ai_version": "< 4.7.2",
    "ai_score": 8.6
}

Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation_CVE-2026-7862