CVE-2026-34891: WordPress IDPay Payment Gateway for Woocommerce plugin <= 2.2.5 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a sensitive data exposure vulnerability in the IDPay Payment Gateway for WooCommerce WordPress plugin, affecting versions 2.2.5 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to any remote attacker. Successful exploitation allows an attacker to read sensitive data from the affected installation. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.
HarborGuard Coverage
Detection for CVE-2026-34891 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering both registry images and custom-built images that bundle this plugin. Any image containing IDPay Payment Gateway for WooCommerce at version 2.2.5 or earlier is flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment IDPay releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress/WooCommerce service via HTTP or HTTPS.
- AuthenticationNot required
No account or session credential of any privilege level is needed to trigger the data exposure.
- Victim interactionNot required
The attacker does not need to involve or deceive any user of the application to exploit this vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental factors to succeed.
Blast Radius
- An unauthenticated attacker can read sensitive data stored or processed by the IDPay Payment Gateway plugin, which in a WooCommerce context is likely to include payment-related transaction details or API credentials.
- Exposed API keys or tokens could be reused by an attacker to interact with the IDPay payment service on behalf of the merchant.
- No data modification or service disruption is indicated by the CVSS vector; the impact is confined to confidentiality loss.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active across all customer environments, flagging any image that bundles IDPay Payment Gateway for WooCommerce at version 2.2.5 or earlier. Because no upstream fix exists at this time, the recommended approach is to isolate affected containers behind network policy rules that block unauthenticated external access to the plugin's endpoints, and to rotate any IDPay API credentials that may have been exposed. Where compliance policy permits, teams can apply egress filtering to limit what the WooCommerce container can reach externally, reducing the value of any stolen credentials. HarborGuard will re-evaluate the advisory on every ingest cycle; for customers with auto-remediation enabled, a patched rebuild and PR against affected workloads will be generated automatically the moment IDPay publishes a corrected version.
- IDPay / IDPay Payment Gateway for Woocommerce≤ 2.2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N