cleantalk
Vulnerabilities and Security Researches

Japanized For WooCommerce, CVE-2026-1305

CVE, Research URL

CVE-2026-1305

Home page URL

Security reports for Japanized For WooCommerce

Application

Japanized For WooCommerce

Published on
Feb 27, 2026
Research Description
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" without actual payment via a crafted POST request to the Paidy webhook endpoint.
Affected versions
max 2.8.5.
Status
vulnerable
Previous vulnerability researches
Brid Video Easy Publish (CVE-2025-5237) , Jun 18, 2025
Brid Video Easy Publish (CVE-2025-32688) , Apr 29, 2025
Brid Video Easy Publish (CVE-2025-8072) , Apr 14, 2026
Brid Video Easy Publish (CVE-2024-13561) , Jan 31, 2025
Brid Video Easy Publish (CVE-2024-12076) , Jan 26, 2025
New vulnerability
Custom Blocks Constructor – Lazy Blocks (CVE-2026-1560) , Apr 15, 2026
Happy Addons for Elementor (CVE-2026-2917) , Apr 15, 2026
Happy Addons for Elementor (CVE-2026-1210) , Apr 15, 2026
Happy Addons for Elementor (CVE-2026-2918) , Apr 15, 2026
All-in-One Video Gallery (CVE-2026-1706) , Apr 15, 2026