CVE-2025-14971
Unknown Unknown - Not Provided
Unauthorized Data Modification in WooCommerce Plugin via Missing Capability Check

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: Wordfence

Description
The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the createPartialPayment and cancelPartialPayment functions in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create partial payments on any order or cancel any existing partial payment via ID enumeration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14971
EUVD
EUVD-2025-206384
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor invoice_payment_for_woocommerce to 2.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Link Invoice Payment for WooCommerce plugin allows unauthenticated attackers to modify data by exploiting missing capability checks on the createPartialPayment and cancelPartialPayment functions. This means attackers can create partial payments on any order or cancel existing partial payments by enumerating IDs without proper authorization. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to create or cancel partial payments on orders, potentially leading to financial discrepancies, order manipulation, and unauthorized changes to payment statuses. This could disrupt business operations and cause loss of revenue or customer trust. [1]

Detection Guidance

This vulnerability can be detected by monitoring REST API calls to the endpoints `/create_partial_payment` and `/cancel_partial_payment` of the Link Invoice Payment for WooCommerce plugin. Since the vulnerability allows unauthenticated attackers to create or cancel partial payments via these endpoints, you can detect suspicious POST requests to these endpoints. For example, you can use web server access logs or network monitoring tools to filter for POST requests to URLs containing `/invoice_payments/create_partial_payment` or `/invoice_payments/cancel_partial_payment`. Commands to check web server logs (assuming Apache) might include: `grep 'POST /wp-json/invoice_payments/create_partial_payment' /var/log/apache2/access.log` and `grep 'POST /wp-json/invoice_payments/cancel_partial_payment' /var/log/apache2/access.log`. Additionally, monitoring for unusual order creation or cancellation activity in WooCommerce admin or database may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Updating the Link Invoice Payment for WooCommerce plugin to a version later than 2.8.0 where the missing capability checks on the `createPartialPayment` and `cancelPartialPayment` functions are fixed. 2) If an update is not immediately available, restrict access to the REST API endpoints `/create_partial_payment` and `/cancel_partial_payment` by implementing authentication or IP-based access controls to prevent unauthenticated access. 3) Monitor logs for suspicious activity related to partial payment creation or cancellation. 4) Consider disabling or removing the plugin temporarily if the vulnerability cannot be mitigated promptly. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14971. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart