Critical account takeover flaw reported in WordPress PayU India plugin
Take action: If you are PayU India plugin, be aware that it's critically vulnerable with no fixes. Immediately deactivate and the plugin from your WordPress installations.
Learn More
A critical vulnerability is reported in the WordPress PayU India plugin (also known as PayU CommercePro). The flaw allows unauthenticated attackers to hijack user accounts, including administrator accounts, without requiring any login credentials.
The vulnerability is tracked as CVE-2025-31022 (CVSS score 9.8 ). The flaw, discovered in version 3.8.5, stems from insecure logic in the /payu/v1/get-shipping-cost API route. Attackers can exploit this to impersonate any registered user, including site administrators, without needing login credentials.
The root cause lies in the unsafe handling of the update_cart_data() function, which processes order and shipping details. This function, which is supposed to process order and shipping details, accepts user IDs and sets session data without verifying user identity.
The API only validates tokens against a hardcoded email address commerce.pro@payu.in, enabling attackers to generate legitimate authentication tokens through the exposed endpoint.
Attackers first generate a valid authentication token by exploiting the /payu/v1/generate-user-token endpoint using the hardcoded email address. With this token, they can then send malicious requests to the shipping cost API endpoint, targeting any user's email address to trigger the vulnerable update_cart_data() function.
The plugin also deletes temporary guest accounts it creates, reducing the chances of detection. This adds a layer of stealth to the exploit, allowing attackers to remain undetected after takeover.
The vulnerability affects all versions of the PayU India plugin up to and including version 3.8.5.
Despite responsible disclosure practices, no official security patch has been released by the vendor. The vulnerability was reported through proper channels, but after a 30-day disclosure window, the vendor has not provided an official fix.
Given the severity of this vulnerability and the lack of an official patch, security experts strongly recommend that all users immediately deactivate and remove the PayU India plugin from their WordPress installations.
