A critical vulnerability in the PayU CommercePro plugin has exposed thousands of WordPress sites to risks from unauthenticated attackers capable of hijacking user accounts. <\/p>\n
Discovered in version 3.8.5, the flaw is rooted in insecure logic within the Tracked as CVE-2025-31022, the vulnerability results from improper handling in the The API call only checks for a valid token associated with a hardcoded email\u2014commerce.pro@payu.in\u2014allowing attackers to generate a valid token via another exposed endpoint, The attack sequence consists of several key steps:<\/p>\n 1. Generate an authentication token using the hardcoded email. Additionally, the plugin deletes temporary guest accounts it creates, enhancing stealth and enabling attackers to operate undetected after account takeover.<\/p>\n Despite efforts for responsible disclosure, no patch has been made available by the vendor. <\/p>\n Users of the PayU CommercePro plugin are strongly advised to deactivate and remove the plugin. Developers should conduct audits of public API endpoints and eliminate hardcoded credentials to mitigate similar vulnerabilities in future applications.<\/p>\n","protected":false},"excerpt":{"rendered":" A critical vulnerability in the PayU CommercePro plugin has exposed thousands of WordPress sites to risks from unauthenticated attackers capable…<\/p>\n","protected":false},"author":1,"featured_media":1932,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[845,451,108],"class_list":["post-1931","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-attackers","tag-plugin","tag-vulnerability"],"acf":[],"yoast_head":"\n\/payu\/v1\/get-shipping-cost<\/code> API route. Attackers can exploit this vulnerability to impersonate any registered user, including site administrators, without authentication.<\/p>\nupdate_cart_data()<\/code> function, which processes order and shipping details. This function accepts user IDs and sets session data without verifying user identity.<\/p>\n\/payu\/v1\/generate-user-token<\/code>. Armed with this token, an attacker can issue a malicious request to gain access to any existing user account.<\/p>\nExploitation Involves Chained API Calls and Hardcoded Email<\/h3>\n
\n2. Call the shipping cost API using the targeted user\u2019s email.
\n3. Trigger the vulnerable update_cart_data()<\/code> function.
\n4. Access the WordPress account of the user.<\/p>\nNo Patch Released After 30-Day Disclosure Window<\/h3>\n