CVE-2026-57677

Novalnet · Payment Gateway for WooCommerce

An unauthenticated PHP object injection vulnerability exists in the Novalnet Payment Gateway for WooCommerce plugin, allowing potential remote code execution.

Executive summary

A critical PHP object injection vulnerability in the Novalnet Payment Gateway for WooCommerce plugin exposes unauthenticated attackers to remote code execution risks.

Vulnerability

This vulnerability involves an unauthenticated PHP object injection flaw within the payment processing logic, which can be leveraged to execute arbitrary code. The lack of authentication requirements means an attacker can trigger this exploit without prior access to the system.

Business impact

The severity of this vulnerability is underscored by its CVSS score of 9.8, indicating a critical risk to business operations. Successful exploitation could lead to full site compromise, unauthorized access to sensitive customer payment data, and significant reputational damage due to potential data breaches.

Remediation

Immediate Action: Update the Novalnet Payment Gateway for WooCommerce plugin to the latest available version immediately.

Proactive Monitoring: Review web server access logs for suspicious serialized PHP strings or unusual POST requests directed at the plugin's entry points.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common PHP object injection payloads.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of this unauthenticated remote execution vulnerability, immediate patching is mandatory. Security teams should prioritize this update to prevent unauthorized access and potential data exfiltration from the WooCommerce environment.