CVE-2025-14843
Unknown Unknown - Not Provided
Unauthenticated Arbitrary Order Cancellation in Wizit Gateway WooCommerce Plugin

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14843
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wizit wizit_gateway_for_woocommerce to 1.2.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Wizit Gateway for WooCommerce plugin (up to version 1.2.9) allows unauthenticated attackers to cancel arbitrary WooCommerce orders. This happens because the 'handle_checkout_redirecturl_response' function lacks proper authentication and authorization checks, enabling attackers to send crafted requests with valid order IDs to cancel orders without permission. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to cancel legitimate WooCommerce orders without authentication. This could disrupt your order processing, cause financial loss, damage customer trust, and create operational issues in your e-commerce store. [1]

Detection Guidance

You can detect this vulnerability by monitoring for unauthenticated HTTP requests attempting to cancel WooCommerce orders via the 'handle_checkout_redirecturl_response' function. Specifically, look for HTTP requests containing crafted parameters with valid order IDs targeting the Wizit Gateway for WooCommerce plugin endpoints. Network monitoring tools or web server logs can be searched for such suspicious requests. However, no specific detection commands are provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include disabling the Wizit Gateway for WooCommerce plugin until a patched version beyond 1.2.9 is available, or restricting access to the plugin's endpoints to authenticated users only. Additionally, review and tighten authentication and authorization checks around order cancellation processes in WooCommerce. Monitoring and logging suspicious cancellation requests can also help mitigate exploitation risks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart