Vulnerabilities and security researches forcardgate cardgate

Jun 07, 2024

CVE, Research URL: CVE-2020-8819
Home page URL: Security reports for CardGate Payments for WooCommerce
Application: CardGate Payments for WooCommerce
Date: Feb 25, 2020
Research Description: An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
Affected versions: Min -, max -.
Status: vulnerable

Dec 08, 2024

CVE, Research URL: CVE-2024-12257
Home page URL: Security reports for CardGate Payments for WooCommerce
Application: CardGate Payments for WooCommerce
Date: Dec 07, 2024
Research Description: The CardGate Payments for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Apr 11, 2025

CVE, Research URL: CVE-2025-32119
Home page URL: Security reports for CardGate Payments for WooCommerce
Application: CardGate Payments for WooCommerce
Date: Apr 10, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CardGate CardGate Payments for WooCommerce allows Blind SQL Injection. This issue affects CardGate Payments for WooCommerce: from n/a through 3.2.1.
Affected versions: Min -, max -.
Status: vulnerable