HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-57677Published Modified CNA Patchstack

CVE-2026-57677: WordPress Novalnet Payment Gateway for WooCommerce plugin <= 12.10.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce <= 12.10.3 versions.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, letting the attacker craft a malicious object that triggers unintended code execution. This vulnerability in the Novalnet Payment Gateway for WooCommerce plugin (versions up to and including 12.10.3) is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the affected application, which can include remote code execution, data theft, or complete service disruption. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress and WooCommerce images that bundle this plugin. Any image found carrying the Novalnet Payment Gateway for WooCommerce plugin at version 12.10.3 or earlier is flagged immediately.

Available
Triage

HarborGuard scores this CVE at 9.8 Critical (CVSS v3.1) and surfaces it at the top of each affected environment's queue. Per-environment compliance policy weighting is applied so the alert is routed to the correct team inbox within each customer organization based on their configured severity thresholds and ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a corrected plugin version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without any manual intervention required.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet without any prior foothold on the host.

  • AuthenticationNot required

    No account or session credential of any kind is needed; the attack can be launched by a completely anonymous HTTP request.

  • Victim interactionNot required

    The attacker does not need to trick or wait for any user to take an action; exploitation is entirely server-side.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites stand in the way of a successful attack.

Blast Radius

  • A successful attacker can read any data the web application process can access, including stored payment configuration, WooCommerce order records, and customer personally identifiable information.
  • The attacker can write or modify application files and database rows, which covers planting backdoors, altering order states, or overwriting plugin code.
  • Depending on the PHP gadget chains present in the WordPress environment, the attacker can achieve arbitrary remote code execution on the underlying server.
  • The attacker can crash or degrade the affected service by corrupting application state or consuming server resources, causing a denial of service for legitimate shoppers.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical (9.8) the moment it enters the advisory feed, and every image carrying Novalnet Payment Gateway for WooCommerce at or below version 12.10.3 is identified across all connected registries and CI pipelines. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published. In the interim, recommended compensating controls include applying a web application firewall rule to block or inspect requests to the plugin's unauthenticated endpoints, enforcing network policy to restrict inbound traffic to the WooCommerce service to known-good sources, and auditing running containers for the presence of this plugin version so affected workloads can be isolated or taken offline until a patch is available. For customers with auto-remediation enabled, the patched rebuild will trigger a regression test run and a PR against affected workloads as soon as the upstream fix is ingested.

See how HarborGuard automates this
Affected packages
  • Novalnet / Novalnet Payment Gateway for WooCommerce
    ≤ 12.10.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References