Security Alert Summary
The BlueSnap Payment Gateway for WooCommerce plugin contains a missing authorization vulnerability that affects all versions up to and including 3.3.0. The plugin relies on WooCommerce’s WC_Geolocation::get_ip_address() to validate Instant Payment Notification (IPN) requests; because that function can trust user-controllable headers such as X-Real-IP and X-Forwarded-For, an unauthenticated attacker can spoof a whitelisted BlueSnap IP address and submit forged IPN data to alter order statuses (for example, marking orders as paid, refunded, failed, or on-hold).
CVE Details
- CVE ID: CVE-2026-0692
- Affected component: BlueSnap Payment Gateway for WooCommerce plugin for WordPress
- Affected versions: All versions up to and including 3.3.0
- Published: February 14, 2026 at 5:16:16 AM UTC
- Last modified: February 14, 2026 at 5:16:16 AM UTC
- CVSS v3.1: Base Score 7.5 — HIGH
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
- Authentication requirements: None (unauthenticated attackers can exploit by spoofing headers)
- CWE / weakness ID: CWE-862
Technical Details
The vulnerability is a missing authorization check in the plugin’s handling of Instant Payment Notification (IPN) requests. The plugin uses WooCommerce’s WC_Geolocation::get_ip_address() to determine the client IP address when validating incoming IPN requests. That geolocation function can use client-supplied headers such as X-Real-IP and X-Forwarded-For, which an attacker can control when sending HTTP requests.
Because the plugin’s IP allowlist check trusts the result of WC_Geolocation::get_ip_address() without additional validation, an attacker can spoof a whitelisted BlueSnap IP address via those headers and submit forged IPN payloads. The forged IPN data can be used to change order statuses—marking orders as paid, refunded, failed, or on-hold—without any required authentication or user interaction.
This is an authorization bypass tied to insufficient validation of the source IP and reliance on potentially untrusted headers. The impact is on data integrity for order state; the vulnerability does not indicate a confidentiality or availability impact in the CVE entry.
How This Could Impact Your Website
Scenario: A site owner runs a WooCommerce store using the BlueSnap Payment Gateway plugin. Internal staff (fulfillment and accounting) rely on automated order statuses to trigger shipping and refunds. An external contractor or a remote integrator manages payments and order processing.
If an attacker can send forged IPN requests that the plugin accepts as coming from BlueSnap, they could change order statuses without authorization. Practical consequences include shipments being released for unpaid orders, fraudulent refunds being recorded, or paid orders being switched to failed or on-hold—creating financial loss, inventory mistakes, and accounting reconciliation issues. These actions affect the integrity of order data rather than exposing customer data directly.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Until a patch is applied, consider restricting access to IPN endpoints at the webserver or application firewall level where possible, and validate incoming request sources beyond trusting forwarding headers.
- Review and reduce unnecessary user roles, especially contributor-level accounts and any accounts with order-processing capabilities.
- Enforce strong passwords and two-factor authentication for editors and administrators involved in order or payment processing.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and order logs for unusual behavior (sudden refunds, status changes, or IPs not matching known payment provider ranges).
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/bluesnap-payment-gateway-for-woocommerce/tags/3.4.0/includes/class-wc-bluesnap-ipn-webhooks.php#L417
- https://plugins.trac.wordpress.org/browser/bluesnap-payment-gateway-for-woocommerce/trunk/includes/class-wc-bluesnap-ipn-webhooks.php#L417
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dc676e18-c895-4f6a-bce9-1f92207af885?source=cve