CVE-2026-11575 PhonePe Payment Solutions < 3.1.0 - Unauthenticated Payment Bypass via Forged Callback
The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...