CVE-2020-8819: 
PHP vulnerability analysis and mitigation

An issue was discovered in the CardGate Payments plugin through version 3.1.15 for WooCommerce. The vulnerability involves a lack of origin authentication in the IPN (Instant Payment Notification) callback processing function, identified as CVE-2020-8819. The vulnerability was discovered and publicly disclosed on February 24, 2020 (GitHub Issue).

The vulnerability stems from insufficient origin validation in the IPN callback processing function. This security flaw allows unauthorized attackers to bypass the payment process by replacing critical plugin settings like merchant ID and secret keys with known values. The vulnerability is classified as CWE-346 (Origin Validation Error) and affects the plugin's payment processing functionality (GitHub Issue, Exploit DB).

The vulnerability enables attackers to bypass payment processes and potentially spoof order statuses by sending manual IPN callback requests with valid signatures but without actual payments. Additionally, attackers could potentially hijack and receive subsequent payments intended for the store by manipulating merchant credentials (GitHub Issue).

The vulnerability was fixed in versions after 3.1.15. Store owners running affected versions should immediately upgrade to the latest version of the CardGate Payments plugin. The fix includes proper origin authentication implementation for IPN callback processing (GitHub Issue).