How is CVE-2026-7862 exploited?

Network reachability (required): The vulnerable refund handler is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP endpoint from the internet or an internal network. Authentication (not-required): No account, session, or credentials of any kind are required; the refund handler accepts unauthenticated requests. Victim interaction (not-required): The attacker sends requests directly to the vulnerable endpoint; no user action or social engineering is needed. Attack complexity (info): Exploitation is straightforward and condition-free; no race conditions, special memory layout, or timing requirements are involved.

What is the impact of CVE-2026-7862?

Reads limited order metadata and transaction identifiers associated with any WooCommerce order, exposing partial customer and payment information. Forces refund transactions on arbitrary orders using the merchant's own payment gateway credentials, directly reversing revenue. Redirects refunded funds to an attacker-controlled bank account for payment methods that support beneficiary redirection, resulting in direct financial theft from the merchant. Causes partial service disruption by invalidating order states and triggering downstream fulfillment or accounting workflow errors tied to unexpected refund events.

Back to search

HIGHCVE-2026-7862Published 2026-05-28Modified 2026-05-28CNA WPScan

CVE-2026-7862: Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation

Q: What is CVE-2026-7862?

An unauthenticated arbitrary refund initiation vulnerability exists in the Eupago Gateway For WooCommerce WordPress plugin before version 4.7.2. The plugin's refund request handler is reachable over the network without any login or credentials, allowing any attacker to trigger it directly. Successful exploitation lets an attacker force refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and in some payment method configurations, redirect refunded funds to an attacker-controlled bank account. A patched-image rebuild at version 4.7.2 is available on HarborGuard for affected environments.

Q: How is CVE-2026-7862 fixed?

A patched-image rebuild at version 4.7.2 is available on HarborGuard for any environment running an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unauthenticated arbitrary refund initiation vulnerability exists in the Eupago Gateway For WooCommerce WordPress plugin before version 4.7.2. The plugin's refund request handler is reachable over the network without any login or credentials, allowing any attacker to trigger it directly. Successful exploitation lets an attacker force refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and in some payment method configurations, redirect refunded funds to an attacker-controlled bank account. A patched-image rebuild at version 4.7.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-7862 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built WordPress and WooCommerce container images. Any image found to include the Eupago Gateway For WooCommerce plugin at a version below 4.7.2 is flagged in the pipeline scan results.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.6 HIGH and weighting it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership and severity thresholds.

Available

Patch

A patched-image rebuild at version 4.7.2 is available on HarborGuard for any environment running an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable refund handler is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP endpoint from the internet or an internal network.
AuthenticationNot required
No account, session, or credentials of any kind are required; the refund handler accepts unauthenticated requests.
Victim interactionNot required
The attacker sends requests directly to the vulnerable endpoint; no user action or social engineering is needed.
Attack complexityDetail
Exploitation is straightforward and condition-free; no race conditions, special memory layout, or timing requirements are involved.

Blast Radius

Reads limited order metadata and transaction identifiers associated with any WooCommerce order, exposing partial customer and payment information.
Forces refund transactions on arbitrary orders using the merchant's own payment gateway credentials, directly reversing revenue.
Redirects refunded funds to an attacker-controlled bank account for payment methods that support beneficiary redirection, resulting in direct financial theft from the merchant.
Causes partial service disruption by invalidating order states and triggering downstream fulfillment or accounting workflow errors tied to unexpected refund events.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7862 is active across all scanning environments as of minutes after the advisory was published. For environments running the Eupago Gateway For WooCommerce plugin below version 4.7.2, a rebuilt image pinned to the fixed version 4.7.2 is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Given that this vulnerability requires no authentication and directly exposes financial transaction controls, prioritizing the upgrade to 4.7.2 is strongly advised. Until remediation is complete, network-policy controls that restrict public access to WooCommerce admin and callback endpoints can reduce exposure surface.

See how HarborGuard automates this

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: 4.7.2
Affected Products: 1

Fix available

4.7.2

Affected packages

Unknown / Eupago Gateway For Woocommerce
< 4.7.2 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References

wpscan.com

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available