Payment webhook validation and price tampering
The primary attack vector we identify on WooCommerce sites is price and transaction status manipulation. Merchants install payment plugins (like Paystack or Flutterwave WooCommerce integrations). If these integrations are configured incorrectly, attackers can exploit two main vulnerabilities:
1. Client-Side Price Modification
If the plugin reads the total price directly from the checkout form payload instead of re-calculating it server-side, an attacker can modify the form parameters before checkout. They pay ₦100 for an item listed at ₦100,000, the payment gateway processes ₦100, and WooCommerce marks the order as "Processing" because it received a success callback for the requested reference.
2. Unauthenticated Webhook Web Bypass
When a customer pays, the gateway notifies WooCommerce via a webhook (e.g., https://example.com/?wc-api=wc_paystack). If the plugin does not verify the payment gateway's cryptographic signature (HMAC header), an attacker can send a spoofed success JSON payload to the webhook endpoint, forcing the store to fulfill the order without any money changing hands.
Auditing custom plugins and themes
Automated vulnerability scanners check plugins against databases of CVEs. They miss vulnerabilities in custom-developed code, bespoke payment gateways, or theme overrides. During our security reviews, we inspect PHP files for common injection vulnerabilities, such as Local File Inclusion (LFI) and SQL Injection:
<?php
// VULNERABLE custom plugin query
global $wpdb;
$user_input = $_POST['custom_id'];
// Raw SQL concatenation leads to direct database access
$results = $wpdb->get_results("SELECT * FROM wp_custom_table WHERE id = " . $user_input);
// SECURE prepared query
$results = $wpdb->get_results(
$wpdb->prepare("SELECT * FROM wp_custom_table WHERE id = %d", $user_input)
);
?> Server hardening and configuration file exposure
We audit the hosting server configuration to ensure configuration files (like wp-config.php or .env keys) are protected against unauthorized download. If directory listing is enabled or file permissions are weak, attackers can extract database credentials directly:
# Nginx configuration block to block access to wp-config.php
location ~* wp-config.php {
deny all;
access_log off;
log_not_found off;
} The WordPress audit checklist
To secure your WooCommerce storefront immediately, implement these rules:
- Enforce Webhook Signatures: Ensure your Paystack or Flutterwave integration has the secret API keys configured securely to validate all webhook signatures.
- Disable File Editing: Add
define('DISALLOW_FILE_EDIT', true);towp-config.phpto prevent administrators from editing code files directly in the WordPress dashboard. - Implement Strict Rate Limiting: Enforce rate limits on
wp-login.phpand the REST API endpoints to block automated credential stuffing. - Isolate the Database: Restrict database access to localhost only, and set a unique prefix for your tables (avoid the default
wp_prefix).
WooCommerce checkout price bypass
During a penetration test of a local electronics retailer, we intercepted the checkout payload and changed the product price field from ₦250,000 to ₦1. The Paystack plugin initiated payment for ₦1, which we paid successfully. The system marked the transaction as complete and authorized delivery. Fix priority: critical. Remediated by modifying the checkout controller to load prices strictly from the WooCommerce database cache.
Running an e-commerce platform on WordPress? Secure your checkout pipeline.
Book a WordPress Security AuditFrequently asked questions
Why are WordPress payment plugins targeted in Nigeria?
Many local merchants use Paystack, Flutterwave, or Monnify plugins to collect payments. If these plugins do not validate webhook payloads or allow parameter tampering, attackers can buy items without paying the actual price.
How does a WordPress security audit differ from a generic scan?
Generic scanners (like WPScan) only check for known vulnerabilities in published plugin versions. A manual penetration test checks custom code, payment callbacks, webhooks, and database configurations where logic exploits happen.
Can attackers hijack customer data through WordPress database leaks?
Yes. If the WordPress database config (wp-config.php) is exposed or if SQL injection exists in a plugin, attackers can extract user hashes, billing details, and API configuration parameters.
Related reading
Blog: Webhook security checklist · Business logic flaws · Rate limiting strategies
Services: Web penetration testing · Secure architecture review