CVE-2026-33661

CVE-2026-33661 affects the open-source Pay SDK, an extension package for integrating various Chinese payment services, including WeChat Pay. In versions prior to 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` bypasses all RSA signature verification if the PSR-7 HTTP request specifies `localhost` as the host header. This flaw, classified under CWE-290 (Authentication Bypass by Spoofing), carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N), highlighting its high severity due to network accessibility and scope change.

Any unauthenticated remote attacker can exploit this vulnerability by crafting an HTTP request to an application's WeChat Pay callback endpoint and setting the `Host` header to `localhost`. This tricks the SDK into skipping signature checks entirely, enabling the forgery of fake payment success notifications. Consequently, the target application may incorrectly process orders as paid, leading to potential financial losses without any actual payment from the customer.

The GitHub security advisory (GHSA-q938-ghwv-8gvc), release notes for v3.7.20, and the fixing commit (26987ebf789f1e7f0a85febb640986ab4289fd7f) confirm that upgrading to version 3.7.20 resolves the issue by addressing the unconditional localhost bypass in signature verification. Security practitioners should prioritize patching affected Pay SDK integrations and review callback endpoint configurations to prevent header spoofing.