- Shortcuts is the best Apple app you're not using - and iOS 26 makes it even more powerful
- Every Apple Watch that will get WatchOS 26 (and which models won't be supported)
- How to enable data scientists without running up costs
- Samsung is giving away Freestyle projectors with this TV purchase - here's how to qualify
- The best iOS 26 features that will make updating your iPhone worthwhile
PayU Plugin Flaw Allows Account Takeover on 5000 WordPress Sites
A critical vulnerability in the PayU CommercePro plugin has put thousands of WordPress sites at risk by allowing unauthenticated attackers to hijack user accounts, according to PatchStack.
Vulnerability in Shipping Cost API Enables Account Hijack
The flaw, discovered in version 3.8.5, stems from insecure logic in the /payu/v1/get-shipping-cost API route. Attackers can exploit this to impersonate any registered user, including site administrators, without needing login credentials.
Tracked as CVE-2025-31022, the vulnerability is caused by unsafe handling of the update_cart_data() function. This function, which is supposed to process order and shipping details, accepts user IDs and sets session data without verifying user identity.
Because the API call only checks for a valid token linked to a hardcoded email – commerce.pro@payu.in – an attacker can generate a valid token using another exposed endpoint, /payu/v1/generate-user-token. With that token, they can send a malicious request that grants them control over any existing user account.
Exploitation Involves Chained API Calls and Hardcoded Email
The attack path follows these key steps:
-
Generate an auth token using the trusted hardcoded email
-
Call the shipping cost API with the target user’s email
-
Trigger the vulnerable update_cart_data() function
-
Gain access to the user’s WordPress account
The plugin also deletes temporary guest accounts it creates, reducing the chances of detection. This adds a layer of stealth to the exploit, allowing attackers to remain undetected after takeover.
No Fix Released After 30-Day Disclosure Window
Despite responsible disclosure efforts, no patch has been issued by the vendor.
“If you’re a PayU CommercePro user, please deactivate and delete the plugin,” the team at Patchstack suggested.
Developers are also urged to audit public API endpoints and eliminate hardcoded credentials to prevent similar risks.
