Payment webhook validation and price tampering

The primary attack vector we identify on WooCommerce sites is price and transaction status manipulation. Merchants install payment plugins (like Paystack or Flutterwave WooCommerce integrations). If these integrations are configured incorrectly, attackers can exploit two main vulnerabilities:

1. Client-Side Price Modification

If the plugin reads the total price directly from the checkout form payload instead of re-calculating it server-side, an attacker can modify the form parameters before checkout. They pay ₦100 for an item listed at ₦100,000, the payment gateway processes ₦100, and WooCommerce marks the order as "Processing" because it received a success callback for the requested reference.

2. Unauthenticated Webhook Web Bypass

When a customer pays, the gateway notifies WooCommerce via a webhook (e.g., https://example.com/?wc-api=wc_paystack). If the plugin does not verify the payment gateway's cryptographic signature (HMAC header), an attacker can send a spoofed success JSON payload to the webhook endpoint, forcing the store to fulfill the order without any money changing hands.

Auditing custom plugins and themes

Automated vulnerability scanners check plugins against databases of CVEs. They miss vulnerabilities in custom-developed code, bespoke payment gateways, or theme overrides. During our security reviews, we inspect PHP files for common injection vulnerabilities, such as Local File Inclusion (LFI) and SQL Injection:

<?php
// VULNERABLE custom plugin query
global $wpdb;
$user_input = $_POST['custom_id'];
// Raw SQL concatenation leads to direct database access
$results = $wpdb->get_results("SELECT * FROM wp_custom_table WHERE id = " . $user_input);

// SECURE prepared query
$results = $wpdb->get_results(
    $wpdb->prepare("SELECT * FROM wp_custom_table WHERE id = %d", $user_input)
);
?>

Server hardening and configuration file exposure

We audit the hosting server configuration to ensure configuration files (like wp-config.php or .env keys) are protected against unauthorized download. If directory listing is enabled or file permissions are weak, attackers can extract database credentials directly:

# Nginx configuration block to block access to wp-config.php
location ~* wp-config.php {
    deny all;
    access_log off;
    log_not_found off;
}

The WordPress audit checklist

To secure your WooCommerce storefront immediately, implement these rules:

Example finding

WooCommerce checkout price bypass

During a penetration test of a local electronics retailer, we intercepted the checkout payload and changed the product price field from ₦250,000 to ₦1. The Paystack plugin initiated payment for ₦1, which we paid successfully. The system marked the transaction as complete and authorized delivery. Fix priority: critical. Remediated by modifying the checkout controller to load prices strictly from the WooCommerce database cache.

Running an e-commerce platform on WordPress? Secure your checkout pipeline.

Book a WordPress Security Audit

Frequently asked questions

Why are WordPress payment plugins targeted in Nigeria?

Many local merchants use Paystack, Flutterwave, or Monnify plugins to collect payments. If these plugins do not validate webhook payloads or allow parameter tampering, attackers can buy items without paying the actual price.

How does a WordPress security audit differ from a generic scan?

Generic scanners (like WPScan) only check for known vulnerabilities in published plugin versions. A manual penetration test checks custom code, payment callbacks, webhooks, and database configurations where logic exploits happen.

Can attackers hijack customer data through WordPress database leaks?

Yes. If the WordPress database config (wp-config.php) is exposed or if SQL injection exists in a plugin, attackers can extract user hashes, billing details, and API configuration parameters.

Related reading

Blog: Webhook security checklist · Business logic flaws · Rate limiting strategies

Services: Web penetration testing · Secure architecture review