Ddos 
A severe vulnerability in the PayU CommercePro plugin for WordPress, which has over 5,000 active installations, allows unauthenticated attackers to take over any user account, including admins. Tracked as CVE-2025-31022 with a CVSS score of 9.8, the flaw remains unpatched in the latest version (3.8.5) and presents an immediate threat to WooCommerce-powered stores.
“In the latest version 3.8.5, the plugin is vulnerable to an account takeover vulnerability, which allows attackers to takeover any user of the WordPress site without authentication,” the advisory explains.
The root cause lies in the misuse of user identity within the plugin’s update_cart_data() function, where a user ID is assigned based on an email check even if the user is not logged in.
This function is invoked through the handleValidToken() logic, which is itself accessible via a public REST API endpoint: /payu/v1/get-shipping-cost.
Here’s where the exploit becomes dangerously simple:
- The plugin uses a hardcoded email constant: define(‘PAYU_USER_TOKEN_EMAIL’,’commerce.pro@payu.in’);
- Another API endpoint (/payu/v1/generate-user-token) allows anyone to generate a valid auth token just by entering this email.
“It means we can easily grab the auth token for the hardcoded email address and send the /payu/v1/get-shipping-cost API request to hit the vulnerable sink update_cart_data() and takeover any account,” the advisory warns.
With the token in hand, attackers can make a crafted request to the vulnerable endpoint and hijack any WordPress user account. The attack chain is:
- Call /payu/v1/generate-user-token with the hardcoded email.
- Receive a valid token in the response.
- Use that token to call /payu/v1/get-shipping-cost with the target email.
- The plugin internally updates cart data as if it were the authenticated user, thus taking over the session.
No login, password, or brute force needed—just one API call and access to any account, including admins.
The vulnerability remains unpatched as of the latest version (3.8.5). Therefore, immediate action is essential:
- Deactivate and remove the PayU CommercePro plugin.
- Reset passwords and review access logs for signs of account tampering.
- Apply Web Application Firewall (WAF) rules to block suspicious POST requests to /payu/v1/ endpoints.
Donate