A vulnerability marked as critical has been reported in corvusinfo CorvusPay Plugin up to 2.7.4. The affected element is the function cancel of the file /wp-json/corvuspay/cancel of the component REST Endpoint. This manipulation causes authorization bypass.

This vulnerability is registered as CVE-2026-9028. Remote exploitation of the attack is possible. No exploit is available.