CVE-2025-14971
Unauthorized Data Modification in WooCommerce Plugin via Missing Capability Check
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | invoice_payment_for_woocommerce | to 2.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Link Invoice Payment for WooCommerce plugin allows unauthenticated attackers to modify data by exploiting missing capability checks on the createPartialPayment and cancelPartialPayment functions. This means attackers can create partial payments on any order or cancel existing partial payments by enumerating IDs without proper authorization. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to create or cancel partial payments on orders, potentially leading to financial discrepancies, order manipulation, and unauthorized changes to payment statuses. This could disrupt business operations and cause loss of revenue or customer trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring REST API calls to the endpoints `/create_partial_payment` and `/cancel_partial_payment` of the Link Invoice Payment for WooCommerce plugin. Since the vulnerability allows unauthenticated attackers to create or cancel partial payments via these endpoints, you can detect suspicious POST requests to these endpoints. For example, you can use web server access logs or network monitoring tools to filter for POST requests to URLs containing `/invoice_payments/create_partial_payment` or `/invoice_payments/cancel_partial_payment`. Commands to check web server logs (assuming Apache) might include: `grep 'POST /wp-json/invoice_payments/create_partial_payment' /var/log/apache2/access.log` and `grep 'POST /wp-json/invoice_payments/cancel_partial_payment' /var/log/apache2/access.log`. Additionally, monitoring for unusual order creation or cancellation activity in WooCommerce admin or database may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Link Invoice Payment for WooCommerce plugin to a version later than 2.8.0 where the missing capability checks on the `createPartialPayment` and `cancelPartialPayment` functions are fixed. 2) If an update is not immediately available, restrict access to the REST API endpoints `/create_partial_payment` and `/cancel_partial_payment` by implementing authentication or IP-based access controls to prevent unauthenticated access. 3) Monitor logs for suspicious activity related to partial payment creation or cancellation. 4) Consider disabling or removing the plugin temporarily if the vulnerability cannot be mitigated promptly. [1]