CVE-2025-14460
Unknown Unknown - Not Provided
Unauthorized Order Status Modification in Piraeus WooCommerce Plugin

Publication date: 2026-01-07

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14460
EUVD
EUVD-2026-1306
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor woo-payment-gateway-for-piraeus-bank to 3.1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress (up to version 3.1.4) where unauthorized users can modify order statuses without proper authorization checks. Specifically, attackers can send a 'fail' callback to the payment callback endpoint using only the order ID, which is easy to guess because order IDs are sequential. This allows unauthenticated attackers to change any order's status to 'failed' via the WooCommerce API.

Impact Analysis

This vulnerability can cause significant business disruption by allowing attackers to mark orders as failed. This can lead to canceled shipments, inventory management problems, and loss of revenue due to orders being incorrectly marked as failed.

Detection Guidance

This vulnerability can be detected by monitoring requests to the WooCommerce API endpoint that handles payment callbacks, specifically looking for unauthorized attempts to change order statuses to 'failed' using the 'MerchantReference' parameter. Since order IDs are sequential integers, suspicious repeated POST or GET requests with different order IDs targeting the payment callback endpoint may indicate exploitation attempts. Commands to detect such activity could include using web server logs or network monitoring tools to filter requests. For example, using grep on Apache logs: `grep 'fail' /var/log/apache2/access.log | grep 'MerchantReference='` or using tools like tcpdump or Wireshark to capture HTTP traffic targeting the callback URL. Additionally, checking for unexpected changes in order statuses to 'failed' in WooCommerce admin logs may help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include updating the Piraeus Bank WooCommerce Payment Gateway plugin to a version later than 3.1.4 where the authorization checks on the payment callback endpoint are properly implemented. If an update is not immediately available, restrict access to the payment callback endpoint by implementing firewall rules or web server access controls to allow only trusted IP addresses (such as those of Piraeus Bank). Additionally, monitor and audit order status changes closely to detect unauthorized modifications. Disabling the plugin temporarily until a patch is applied can also prevent exploitation.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart