CVE-2026-7862 | THREATINT

Description

The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-28 | Updated 2026-05-28 | Assigner WPScan

Problem types

CWE-284 Improper Access Control

Product status

Default status

unaffected

Any version before 4.7.2

affected

Credits

Pedro Pinho finder

WPScan coordinator

References

wpscan.com/...rability/b4ce2a06-b435-4b77-851f-4406f2a91ca6/ exploit vdb-entry technical-description

cve.org (CVE-2026-7862)

nvd.nist.gov (CVE-2026-7862)

Download JSON