Security Vulnerability in PayU Plugin Facilitates Account Takeover on 5,000 WordPress Sites

A critical vulnerability in the PayU CommercePro plugin has exposed thousands of WordPress sites to risks from unauthenticated attackers capable of hijacking user accounts.

Vulnerability in Shipping Cost API Enables Account Hijacking

Discovered in version 3.8.5, the flaw is rooted in insecure logic within the /payu/v1/get-shipping-cost API route. Attackers can exploit this vulnerability to impersonate any registered user, including site administrators, without authentication.

Tracked as CVE-2025-31022, the vulnerability results from improper handling in the update_cart_data() function, which processes order and shipping details. This function accepts user IDs and sets session data without verifying user identity.

The API call only checks for a valid token associated with a hardcoded email—[email protected]—allowing attackers to generate a valid token via another exposed endpoint, /payu/v1/generate-user-token. Armed with this token, an attacker can issue a malicious request to gain access to any existing user account.

Exploitation Involves Chained API Calls and Hardcoded Email

The attack sequence consists of several key steps:

1. Generate an authentication token using the hardcoded email.
2. Call the shipping cost API using the targeted user’s email.
3. Trigger the vulnerable update_cart_data() function.
4. Access the WordPress account of the user.

Additionally, the plugin deletes temporary guest accounts it creates, enhancing stealth and enabling attackers to operate undetected after account takeover.

No Patch Released After 30-Day Disclosure Window

Despite efforts for responsible disclosure, no patch has been made available by the vendor.

Users of the PayU CommercePro plugin are strongly advised to deactivate and remove the plugin. Developers should conduct audits of public API endpoints and eliminate hardcoded credentials to mitigate similar vulnerabilities in future applications.