CVE-2025-31022: 
WordPress vulnerability analysis and mitigation

Authentication Bypass vulnerability (CVE-2025-31022) affects the PayU India WordPress plugin versions 3.8.5 and earlier. The vulnerability was discovered by Rafie Muhammad and disclosed on June 5, 2025. This critical security flaw allows authentication bypass and potential account takeover in the PayU CommercePro plugin for WordPress, with the plugin having over 5,000 active installations (Wiz).

The vulnerability stems from a function called 'updatecartdata()' which is invoked from the '/payu/v1/get-shipping-cost' endpoint. The flaw exists because the endpoint checks for a valid token linked to a hard-coded email address 'commerce.pro@payu[.]in'. Combined with another REST API endpoint '/payu/v1/generate-user-token' that generates authentication tokens for given email addresses, this creates a security weakness. The vulnerability has received a CVSS v3.1 score of 9.8 (Critical), indicating its severe nature (Wiz, Hacker News).

The vulnerability enables attackers to take control of any user account on the affected site without requiring authentication. This is particularly severe when administrator accounts are compromised, as it allows complete site takeover and the ability to perform malicious actions. With over 5,000 active installations, this represents a significant security risk (Wiz).

As no official patch is currently available, users are strongly advised to deactivate and delete the plugin immediately. Security experts recommend against hard-coding sensitive information such as email addresses in the codebase and ensuring that unauthenticated REST API endpoints are not overly permissive (Wiz, Patchstack).