CVE Catalog

CVE-2026-57677

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

The Novalnet Payment Gateway for WooCommerce plugin version 12.10.3 and earlier is vulnerable to unauthenticated PHP Object Injection. An attacker can remotely send a crafted request, leading to arbitrary PHP code execution on the server.

Risk Assessment

The risk includes full server compromise, customer data theft, and modification of store content. The attack does not require authentication, making it easier to exploit.

Recommendation

Immediately update the Novalnet Payment Gateway for WooCommerce plugin to version 12.10.4 or later. If an update is not possible, temporarily disable the plugin.

Original NVD description (English source)

Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce <= 12.10.3 versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS