Hijacking of thousands of WordPress sites possible with PayU plugin bug

More than 5,000 WordPress sites could have their user accounts taken over as a result of the potential abuse of a critical flaw in the PayU CommercePro plugin, tracked as CVE-2025-31022, reports Infosecurity Magazine.

Exploitation of the vulnerability — which results from insecure /payu/v1/get-shipping-cost API route and unsafe update_cart_data() function handling — could enable auth token generation through a trusted hardcoded email, shipping cost API calling using the target's email, and update_cart_data()function prompting prior to the eventual compromise of the user's WordPress account, according to a report from Patchstack. Aside from conducting registered user spoofing without login credentials, attackers could also better conceal malicious activity following account hijacking as the plugin removes temporary guest accounts, said Patchstack. With patches yet to be released for the vulnerable plugin, immediate deactivation and deletion have been recommended. Such a security issue should also prompt developers to conduct public API endpoint audits and remote hardcoded credentials.