Executive Summary

CVE-2025-14450 is a vulnerability in the Wallet System for WooCommerce WordPress plugin, where the function 'change_wallet_fund_request_status_callback' lacks proper capability checks. This allows authenticated users with Subscriber-level access or higher to manipulate wallet withdrawal requests. Specifically, they can arbitrarily increase their own wallet balance or decrease other users' balances by exploiting insufficient authorization in the wallet fund request approval process. The vulnerability arises because the plugin does not adequately verify user permissions when changing the status of wallet fund requests, enabling unauthorized modification of wallet balances and transaction records. [4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers with low-level authenticated access (Subscriber or above) to fraudulently increase their wallet balance or reduce the balances of other users. This can lead to financial loss, unauthorized fund transfers, and disruption of wallet-related transactions within your WooCommerce store. It undermines the integrity of wallet balances and transaction records, potentially causing monetary damage and loss of trust in your e-commerce platform. [4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring AJAX requests to the 'change_wallet_fund_request_status_callback' endpoint in the Wallet System for WooCommerce plugin. Look for unauthorized or suspicious POST requests that attempt to change wallet fund request statuses (approved, rejected, pending) especially from users with Subscriber-level access or above. Commands to detect such activity could include inspecting web server logs or using tools like curl to simulate or check for these AJAX calls. For example, you can use a command to check recent POST requests to the AJAX handler URL in your web server logs: `grep 'POST.*change_wallet_fund_request_status_callback' /path/to/access.log`. Additionally, monitoring for unexpected changes in user wallet balances or withdrawal request statuses in the WordPress database could indicate exploitation attempts. [1, 4]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the Wallet System for WooCommerce plugin to a version later than 2.7.2 where this vulnerability is fixed. If an update is not immediately available, restrict access to the AJAX endpoint by limiting permissions so that only trusted users with appropriate capabilities can invoke 'change_wallet_fund_request_status_callback'. Additionally, monitor and audit wallet fund request status changes and user wallet balances for suspicious activity. Implement additional capability checks or custom code to enforce stricter authorization on wallet fund request status changes until an official patch is applied. [4, 3]

Useful 0 Not Useful 0