Novalnet for WooCommerce: Critical Vulnerability (CVE-2026-57677)
This text was generated using artificial intelligence (AI).According to Patchstack, on July 2, 2026, a critical security vulnerability was discovered in the WordPress plugin Novalnet Payment Gateway for WooCommerce with a CVSS score of 9.8 published. The vulnerability, registered as CVE-2026-57677, affects all versions up to and including 12.10.3 and allows attackers to completely take over an online store without prior authentication.
Affected software: Novalnet Payment Gateway for WooCommerce <= 12.10.3
Type of attack: Unauthenticated PHP Object Injection
Active Exploitation: No active exploitation known at the time of publication (as of July 2, 2026)
Recommendation: Immediate update to version 12.10.4
Technical Analysis of CVE-2026-57677
According to the report published by Patchstack, Advisory The cause of the vulnerability lies in the insecure processing of serialized data. An attacker can send specially crafted input to the plugin, which—provided a suitable POP chain exists—could lead to the execution of arbitrary PHP code on the server during deserialization. This process does not require any credentials or user interaction.
The CVSS score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes the high risk:
Attack Vector: Network (AV:N): The attack can originate from the Internet.
Attack Complexity: Low (AC:L): It's easy to use.
Privileges Required: None (PR:N): No login credentials are required.
User Interaction: None (UI:N): The attack does not require any action on the part of the user.
Impact: High (C:H, I:H, A:H): A successful attack maximally compromises the system's confidentiality, integrity, and availability.
An attacker can thus access sensitive customer data and payment information, manipulate transactions, or bring the entire online store to a standstill.
Affected Systems and Risk Assessment
All e-commerce operators using WooCommerce in combination with the affected Novalnet plugin in a vulnerable version are at risk. Since the plugin is directly integrated into the payment process, the potential for damage is particularly high. Attackers could redirect payment transactions to their own accounts or use the compromised server for further attacks. Given that the vulnerability can be exploited easily and without authentication, it is likely that automated scans will be conducted to search for vulnerable systems.
Since Novalnet AG is a German company based in Garching near Munich, and according to WordPress.org the plugin is running on approximately 1,000 active installations, the majority of those affected are website operators in the DACH region. Companies that process personal data of EU citizens should note: If the vulnerability is exploited and a data breach occurs, they are required under Article 33 of the GDPR to report the incident to the relevant data protection authority within 72 hours. Operators subject to the NIS 2 Directive—such as critical or essential facilities in the fields of digital infrastructure or commerce—should also incorporate the vulnerability into their incident reporting chain and risk management processes.
Recommended countermeasures
Online store owners should take immediate action to protect their systems.
1. Immediate review: Verify the installed version of the „Novalnet Payment Gateway for WooCommerce“ plugin in your WordPress dashboard. Versions up to and including 12.10.3 are vulnerable.
2. Prepare for and perform the update: Update the plugin immediately to Version 12.10.4, which addresses the vulnerability (improved webhook validation). Older versions up to and including 12.10.3 are vulnerable.
3. Temporary measures (if no update is available):
Disable plugin: If an update is not immediately possible, disable the plugin to close the attack vector. Please note that this will affect payment processing.
Web Application Firewall (WAF): Set up WAF rules that detect and block known patterns of PHP deserialization attacks. This serves as an additional layer of protection but does not replace the necessary software update.
How EASM Supports Risk Identification
Vulnerabilities such as CVE-2026-57677 illustrate how important it is to have a complete view of one’s own external attack surface. In practice, many organizations do not know which plugins and software components are actually active on their internet-connected systems—especially when, over the years, subsystems, microsites, or e-commerce instances have been created that are no longer managed centrally.
An External Attack Surface Management (EASM) solution like LocateRisk helps uncover precisely these blind spots: The platform identifies externally accessible components, such as the Novalnet plugin, based on characteristic features, such as specific file paths like /wp-content/plugins/woocommerce-novalnet-gateway/, and creates a continuously updated inventory of all exposed assets. This makes it possible to identify forgotten shop instances, untracked cloud deployments, or unmonitored test environments that fall outside the regular patching process. This transparency enables security teams to quickly locate affected systems following a vulnerability disclosure and to precisely manage the patching process—thereby minimizing the risk of exploitation.
LocateRisk is a solution developed and hosted in Germany that helps organizations comply with GDPR requirements and meets digital sovereignty standards.
PHP Object Injection is a vulnerability in which an attacker sends manipulated, serialized data to an application that deserializes it without sufficient validation. In the case of CVE-2026-57677, this can result in arbitrary PHP code being executed on the web server—without the attacker needing to have access credentials or prompt a user to interact.
This affects all versions of the Novalnet Payment Gateway for WooCommerce up to and including version 12.10.3. The vulnerability was fixed in version 12.10.4 Fixed; an update to this version is strongly recommended.
Temporarily disable the plugin to close the attack vector, and additionally set up WAF rules that detect and block known PHP deserialization attack patterns. As soon as possible, update the plugin to version 12.10.4, which fixes the vulnerability.
CVE Quick Check
In just a few minutes, check whether there are any indications of a current CVE on your externally visible attack surface.
A rough estimate in just a few minutes via email.
Learn more during a free consultation with a LocateRisk consultant.
You'll receive this by email
companyYour Company, LLC
Verified CVECVE-2024-3094
Passive Assessment
Information About the CVENotes found
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.