CVE-2025-14450
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-01-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | wallet_system_for_woocommerce | to 2.7.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14450 is a vulnerability in the Wallet System for WooCommerce WordPress plugin, where the function 'change_wallet_fund_request_status_callback' lacks proper capability checks. This allows authenticated users with Subscriber-level access or higher to manipulate wallet withdrawal requests. Specifically, they can arbitrarily increase their own wallet balance or decrease other users' balances by exploiting insufficient authorization in the wallet fund request approval process. The vulnerability arises because the plugin does not adequately verify user permissions when changing the status of wallet fund requests, enabling unauthorized modification of wallet balances and transaction records. [4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with low-level authenticated access (Subscriber or above) to fraudulently increase their wallet balance or reduce the balances of other users. This can lead to financial loss, unauthorized fund transfers, and disruption of wallet-related transactions within your WooCommerce store. It undermines the integrity of wallet balances and transaction records, potentially causing monetary damage and loss of trust in your e-commerce platform. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring AJAX requests to the 'change_wallet_fund_request_status_callback' endpoint in the Wallet System for WooCommerce plugin. Look for unauthorized or suspicious POST requests that attempt to change wallet fund request statuses (approved, rejected, pending) especially from users with Subscriber-level access or above. Commands to detect such activity could include inspecting web server logs or using tools like curl to simulate or check for these AJAX calls. For example, you can use a command to check recent POST requests to the AJAX handler URL in your web server logs: `grep 'POST.*change_wallet_fund_request_status_callback' /path/to/access.log`. Additionally, monitoring for unexpected changes in user wallet balances or withdrawal request statuses in the WordPress database could indicate exploitation attempts. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Wallet System for WooCommerce plugin to a version later than 2.7.2 where this vulnerability is fixed. If an update is not immediately available, restrict access to the AJAX endpoint by limiting permissions so that only trusted users with appropriate capabilities can invoke 'change_wallet_fund_request_status_callback'. Additionally, monitor and audit wallet fund request status changes and user wallet balances for suspicious activity. Implement additional capability checks or custom code to enforce stricter authorization on wallet fund request status changes until an official patch is applied. [4, 3]