PatchSiren

PhonePe CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review PhonePe CVE published 2026-07-17

CVE-2026-11575

The PhonePe Payment Solutions WordPress plugin before 3.1.0 has a vulnerability that allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made. This is because the secret used to validate the callback signature is empty on sites configured through the current setup flow, reducing the expected signature to an unkeyed h [truncated]