Unauthenticated Refund Handler Enables Payment Fraud

The Eupago Gateway For WooCommerce plugin before version 4.7.2 contains a critical access control vulnerability (CWE-284) that allows unauthenticated attackers to manipulate refund requests. By exploiting an improperly secured refund handler endpoint, attackers can initiate refunds against any WooCommerce order without authentication, and in some cases redirect those funds to attacker-controlled accounts. This vulnerability directly threatens e-commerce merchants and their customers, as attackers can drain funds, cause financial losses, and damage customer trust. Any WooCommerce store using the vulnerable Eupago plugin version is at immediate risk of unauthorized refund abuse and potential account takeover scenarios.

Casky.ai's security skills would detect the attack patterns underlying this vulnerability by analyzing suspicious refund initiation requests that lack proper authentication tokens or session validation. Practitioners using Casky would identify reconnaissance activity through unauthenticated API calls to refund endpoints, followed by T1110 (Brute Force) patterns as attackers enumerate valid order IDs, and T1578 (Modify Cloud Compute Infrastructure) equivalents in payment processing as attackers alter refund destinations. Extended reasoning across Casky's 754 mapped skills would surface anomalous request patterns—such as bulk refund requests from external IPs, unusual geographic origins of refund modifications, and mismatched refund recipient accounts—all indicators of T1586 (Compromise Accounts) and T1556 (Modify Authentication Process) style attacks. Findings would surface failed access control checks, missing authorization headers, and unvalidated refund parameter manipulation as the core security gaps.