CVE-2025-14460
Unauthorized Order Status Modification in Piraeus WooCommerce Plugin
Publication date: 2026-01-07
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | woo-payment-gateway-for-piraeus-bank | to 3.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress (up to version 3.1.4) where unauthorized users can modify order statuses without proper authorization checks. Specifically, attackers can send a 'fail' callback to the payment callback endpoint using only the order ID, which is easy to guess because order IDs are sequential. This allows unauthenticated attackers to change any order's status to 'failed' via the WooCommerce API.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the WooCommerce API endpoint that handles payment callbacks, specifically looking for unauthorized attempts to change order statuses to 'failed' using the 'MerchantReference' parameter. Since order IDs are sequential integers, suspicious repeated POST or GET requests with different order IDs targeting the payment callback endpoint may indicate exploitation attempts. Commands to detect such activity could include using web server logs or network monitoring tools to filter requests. For example, using grep on Apache logs: `grep 'fail' /var/log/apache2/access.log | grep 'MerchantReference='` or using tools like tcpdump or Wireshark to capture HTTP traffic targeting the callback URL. Additionally, checking for unexpected changes in order statuses to 'failed' in WooCommerce admin logs may help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Piraeus Bank WooCommerce Payment Gateway plugin to a version later than 3.1.4 where the authorization checks on the payment callback endpoint are properly implemented. If an update is not immediately available, restrict access to the payment callback endpoint by implementing firewall rules or web server access controls to allow only trusted IP addresses (such as those of Piraeus Bank). Additionally, monitor and audit order status changes closely to detect unauthorized modifications. Disabling the plugin temporarily until a patch is applied can also prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can cause significant business disruption by allowing attackers to mark orders as failed. This can lead to canceled shipments, inventory management problems, and loss of revenue due to orders being incorrectly marked as failed.