Security Alert Summary
The Eupago Gateway For Woocommerce plugin before 4.7.2 does not properly restrict access to its refund request handler. This allows unauthenticated attackers to initiate refunds for any WooCommerce order using the merchant’s payment gateway credentials and, for some payment methods, redirect refunded funds to an attacker-controlled bank account.
CVE Details
- CVE ID:
CVE-2026-7862 - Affected component: Eupago Gateway For Woocommerce WordPress plugin
- Affected versions: Versions before 4.7.2
- Published: May 28, 2026 at 08:16:37 AM UTC
- Last modified: May 28, 2026 at 01:45:25 PM UTC
- CVSS v3.1: Base Score 8.6, Severity HIGH, Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L - Authentication / Privileges / User interaction: No authentication required; Privileges required: None; User interaction: None
- Primary impact: Confidentiality: Low; Integrity: High; Availability: Low
- Weakness (CWE): CWE-284 (Improper Access Control)
Technical Details
According to the advisory, the plugin does not properly restrict access to its refund request handler. Because this handler lacks appropriate access controls, an unauthenticated actor can trigger refund operations for arbitrary WooCommerce orders while the merchant’s payment gateway credentials are in use.
The description specifically refers to the refund request handler; no other functions or REST endpoints are named in the provided data. The root cause shown in the report is an improper access control check (CWE-284) on the component that processes refund requests.
Impact is primarily on integrity: an attacker could cause financial transactions to be reversed and, for payment methods that support it, redirect refunded funds to an attacker-controlled bank account. Confidentiality impact is described as low; availability impact is also low.
How This Could Impact Your Website
In a realistic scenario, a site owner managing a WooCommerce store could be unaware that an unauthenticated attacker is triggering refunds. Internal staff or contractors who handle orders and customer service might see unexpected refunds or disputed transactions, and finance teams could receive alerts about payments being reversed. External contributors or third-party integrators with access to order data might have their workflows disrupted by unauthorized refunds.
Practical consequences include unauthorized financial adjustments to orders and the possibility that refunded funds are redirected away from the merchant to an attacker-controlled account. While the confidentiality impact is described as low, exposure of transactional details or customer email addresses in related logs or communications could increase the risk of targeted phishing or social engineering against staff or customers.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and shop manager accounts that are not in active use.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site and payment activity for unusual refund requests, transaction reversals, or changes to payment destinations.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
