CVE-2025-12355
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adedeji_a | payaza | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the Payaza plugin until a patched version is released, as the plugin has been temporarily closed and is unavailable for download pending a full security review. Additionally, restrict access to the 'wp_ajax_nopriv_update_order_status' AJAX endpoint if possible, and monitor your WordPress site for unauthorized changes to order statuses. [1]
Can you explain this vulnerability to me?
The Payaza plugin for WordPress has a vulnerability where it does not properly check user permissions on the 'wp_ajax_nopriv_update_order_status' AJAX endpoint. This allows unauthenticated attackers to modify order statuses without authorization.
How can this vulnerability impact me? :
This vulnerability can allow attackers to change order statuses without permission, potentially leading to unauthorized manipulation of order data, which could disrupt business operations or cause financial discrepancies.