{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39645", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:32.779Z", "dateUpdated": "2026-04-08T08:30:32.779Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "global-payments-woocommerce", "product": "GlobalPayments WooCommerce", "vendor": "Global Payments", "versions": [{"lessThanOrEqual": "1.18.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.936Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.<p>This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:32.779Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/global-payments-woocommerce/vulnerability/wordpress-globalpayments-woocommerce-plugin-1-18-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress GlobalPayments WooCommerce plugin <= 1.18.0 - Server Side Request Forgery (SSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0."}], "id": "CVE-2026-39645", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:35.340", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/global-payments-woocommerce/vulnerability/wordpress-globalpayments-woocommerce-plugin-1-18-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.18.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GlobalPayments WooCommerce", "source": "cna", "vendor": "Global Payments"}, "product": "globalpayments_woocommerce", "vendor": "global_payments"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:07:28.664017+00:00", "value": {"mitigation_remediation": ["Upgrade the Global Payments WooCommerce plugin to a version newer than 1.18.0.", "Confirm that the installation has been updated to the latest version.", "If an immediate upgrade is not possible, disable the plugin until it can be patched.", "Monitor outbound network traffic from the WordPress host for unexpected requests.", "Review and tighten firewall or web application filter rules to block internal network access from the server."], "summary": {"action": "Immediate Patch", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Global Payments WooCommerce plugin version 1.18.0 or earlier. The vulnerability applies to all systems running that plugin regardless of the underlying operating system. No specific platform or WordPress version is mentioned as affected.", "description_and_impact": "The vulnerability is a Server\u2011Side Request Forgery (CWE\u2011918) that allows an attacker to cause the WordPress server to initiate arbitrary HTTP requests from the host. This can expose internal network resources, steal sensitive data or perform further malicious actions such as accessing local files or internal services.", "risk_and_exploitability": "The CVSS score is not supplied, but SSRF vulnerabilities are generally high\u2011risk because they provide a foothold into internal networks. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, yet the exposure remains significant. Likely exploitation requires the attacker to trigger the plugin\u2019s request handling, which could be achieved through authenticated or unauthenticated web requests depending on the site configuration. Prompt remediation is therefore advised."}}}}, "created": "2026-04-08T19:28:26.150694+00:00", "updated": "2026-04-08T19:41:30.943458+00:00", "vendors": ["global_payments", "global_payments$PRODUCT$globalpayments_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}