A vulnerability marked as critical has been reported in corvusinfo CorvusPay Plugin up to 2.7.4. The affected element is the function
cancel of the file /wp-json/corvuspay/cancel of the component REST Endpoint. This manipulation causes authorization bypass.
This vulnerability is registered as CVE-2026-9028. Remote exploitation of the attack is possible. No exploit is available.