{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39645", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:32.779Z", "dateUpdated": "2026-04-29T09:52:03.130Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "global-payments-woocommerce", "product": "GlobalPayments WooCommerce", "vendor": "Global Payments", "versions": [{"lessThanOrEqual": "1.18.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.936Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.<p>This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:03.130Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/global-payments-woocommerce/vulnerability/wordpress-globalpayments-woocommerce-plugin-1-18-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress GlobalPayments WooCommerce plugin <= 1.18.0 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:26:56.508085Z", "id": "CVE-2026-39645", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:27:28.837Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39645", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:26:56.508085Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:26:02.863Z"}}], "cna": {"title": "WordPress GlobalPayments WooCommerce plugin <= 1.18.0 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "affected": [{"vendor": "Global Payments", "product": "GlobalPayments WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.18.0"}], "packageName": "global-payments-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:36.936Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/global-payments-woocommerce/vulnerability/wordpress-globalpayments-woocommerce-plugin-1-18-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.<p>This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:32.779Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39645", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:27:28.837Z", "dateReserved": "2026-04-07T10:57:48.107Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:32.779Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0."}], "id": "CVE-2026-39645", "lastModified": "2026-04-24T18:06:24.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:35.340", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/global-payments-woocommerce/vulnerability/wordpress-globalpayments-woocommerce-plugin-1-18-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.18.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GlobalPayments WooCommerce", "source": "cna", "vendor": "Global Payments"}, "product": "globalpayments_woocommerce", "vendor": "global_payments"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T22:44:13.504697+00:00", "value": {"mitigation_remediation": ["Update the Global Payments WooCommerce plugin to the latest version (1.18.1 or newer).", "If an immediate update is not possible, limit or block outbound HTTP requests initiated by WordPress using firewall rules or host\u2011based controls.", "Consider disabling the plugin until a patch is applied.", "Monitor web server logs for abnormal outbound traffic patterns that may indicate SSRF attempts."], "summary": {"action": "Patch Now", "impact": "Server Side Request Forgery (SSRF) enabling unauthorized network requests"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the Global Payments WooCommerce plugin version 1.18.0 and earlier on WordPress sites, a commonly deployed payment integration for WooCommerce stores.", "description_and_impact": "Server\u2011Side Request Forgery (SSRF) allows an attacker to instruct the vulnerable Global Payments WooCommerce plugin to issue HTTP requests to arbitrary URLs, potentially accessing internal services or external sites without proper authorization, which could lead to data exposure or further exploitation. This weakness, classified as CWE\u2011918, originates from insufficient validation of user\u2011supplied URLs used by the plugin.", "risk_and_exploitability": "With a CVSS score of 5.4, the issue carries moderate severity, while an EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to provide a crafted URL to the plugin, potentially via a site visitor's request or a specially crafted API call, to trigger the SSRF. Although exploitation is unlikely, administrators should still consider patching to prevent potential access to internal networks."}}}}, "created": "2026-04-08T19:28:26.150694+00:00", "updated": "2026-04-14T16:38:54.412444+00:00", "vendors": ["global_payments", "global_payments$PRODUCT$globalpayments_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}