Security Advisory ยท Published 2026-05-28
CVE-2026-7862: Someone Can Refund Your WooCommerce Orders to Their Own Bank Account
I want you to read that title again. This isn't a theoretical data leak or a privilege escalation that requires an admin account. This is an unauthenticated attacker - no login, no credentials, nothing - hitting your payment gateway's refund endpoint and sending your money to their bank account. If you're running the Eupago Gateway for WooCommerce plugin version below 4.7.2, this is happening on your store right now if anyone's found it.
What's happening here
The Eupago Gateway for WooCommerce plugin doesn't properly restrict access to its refund request handler. The endpoint that processes refunds is supposed to be admin-only - obviously, right? But in versions before 4.7.2, there's no authentication check. Anyone who can reach your WordPress installation can call that handler.
Operational impact: An attacker crafts a request targeting any WooCommerce order ID, triggers a refund through the Eupago payment gateway using your merchant credentials (which the plugin stores), and for supported payment methods, specifies their own bank account as the refund destination. Your customer's order gets refunded. The money goes to the attacker. You're out the product and the money.
CWE-284: Improper Access Control. The simplest, most preventable class of bug - and one of the most devastating when it touches payment processing.
Am I affected?
You're affected if:
- You run the "Eupago Gateway For Woocommerce" plugin
- Your version is below 4.7.2
- Your store processes payments through Eupago (primarily Portugal/Brazil merchants)
Check right now - 60 seconds
# SSH into your server:
wp plugin list --status=active | grep -i eupago
# Or check directly:
grep -r "Version:" wp-content/plugins/eupago-gateway-for-woocommerce/*.php 2>/dev/null | head -5
# Check your WooCommerce refund logs for suspicious activity:
wp db query "SELECT ID, post_date, post_status FROM $(wp db prefix)posts WHERE post_type='shop_order_refund' ORDER BY post_date DESC LIMIT 20;" Check for signs of exploitation
This one leaves financial traces. Look for:
# Unexpected refunds in the last 30 days:
wp db query "SELECT p.ID, p.post_date, pm.meta_value as amount FROM $(wp db prefix)posts p JOIN $(wp db prefix)postmeta pm ON p.ID=pm.post_id WHERE p.post_type='shop_order_refund' AND pm.meta_key='_refund_amount' AND p.post_date > DATE_SUB(NOW(), INTERVAL 30 DAY) ORDER BY p.post_date DESC;"
# Check access logs for direct hits to the refund handler:
grep -i "eupago\|refund" /var/log/apache2/access.log /var/log/nginx/access.log 2>/dev/null | grep POST | tail -20
# Compare refund count this month vs last month:
wp db query "SELECT DATE_FORMAT(post_date, '%Y-%m') as month, COUNT(*) as refunds FROM $(wp db prefix)posts WHERE post_type='shop_order_refund' GROUP BY month ORDER BY month DESC LIMIT 3;" What to do right now
๐ด Right now - 5 minutes
# Update the plugin immediately:
wp plugin update eupago-gateway-for-woocommerce
# If update isn't available yet, deactivate:
wp plugin deactivate eupago-gateway-for-woocommerce
# IMPORTANT: Check your Eupago merchant dashboard for unexpected refunds
# Log into your Eupago account at eupago.pt and review recent transactions Yes, deactivating means your store can't process Eupago payments temporarily. That's better than someone draining your account.
๐ก Today - 30 minutes
- Review all refunds from the past 30 days in WooCommerce - Orders - Refunds
- Check your Eupago dashboard for any refunds you didn't initiate
- Contact Eupago support if you find suspicious refunds - they may be able to reverse or flag them
- Rotate your Eupago API credentials after updating the plugin
๐ข This week - harden
- Add a WAF rule to block unauthenticated POST requests to WooCommerce payment endpoints
- Enable WooCommerce action logging so you have an audit trail for all refund actions
- Set up refund notifications - you should get an email for every refund, no exceptions
Need help?
If you found unexpected refunds in those queries, you need to act fast - this is active financial fraud, not just a security vulnerability. Ping7 can help with WooCommerce plugin review, transaction forensics, and credential rotation.
- WooCommerce plugin audit: $49 - results in 24 hours
- Transaction forensics + cleanup: $299 if you've been actively exploited
References
- NVD: CVE-2026-7862
- WPScan Advisory
- CWE-284: Improper Access Control
- CVSS 8.6 -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L - Fixed in: Eupago Gateway for WooCommerce 4.7.2