CVE-2025-14978
Unknown Unknown - Not Provided
Unauthorized Data Modification in PeachPay WooCommerce Plugin

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Wordfence

Description
The PeachPay β€” Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14978
EUVD
EUVD-2026-3486
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
peachpay peachpay_for_woocommerce to 1.119.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection can focus on monitoring unauthorized POST requests to the REST API endpoint `/wp-json/peachpay/v1/convesiopay/webhook` which lacks proper capability checks. You can use network monitoring tools or web server logs to identify suspicious or unexpected POST requests to this endpoint. For example, using curl to test the endpoint or checking logs for POST requests without proper authentication. Commands to detect such activity might include: 1. Using curl to test the webhook endpoint: curl -X POST https://yourdomain.com/wp-json/peachpay/v1/convesiopay/webhook -d '{}' 2. Using grep on web server access logs to find POST requests to the webhook: grep 'POST /wp-json/peachpay/v1/convesiopay/webhook' /var/log/apache2/access.log 3. Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the endpoint. Since the vulnerability allows unauthenticated modification of WooCommerce order statuses via this webhook, monitoring for unexpected changes in order statuses or unusual webhook activity is also recommended. [2]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the PeachPay for WooCommerce plugin to a version later than 1.119.8 where the missing capability checks on the ConvesioPay webhook REST endpoint are fixed. 2. If an update is not immediately possible, restrict access to the webhook endpoint `/wp-json/peachpay/v1/convesiopay/webhook` by implementing firewall rules or web server access controls to allow only trusted IP addresses (such as ConvesioPay servers). 3. Monitor WooCommerce order statuses for unauthorized changes. 4. Consider temporarily disabling the PeachPay plugin or the webhook route if feasible until a patch is applied. These steps help prevent unauthenticated attackers from modifying order statuses via the vulnerable webhook endpoint. [2]

Executive Summary

The vulnerability in the PeachPay for WooCommerce plugin is due to missing capability checks on the ConvesioPay webhook REST endpoint. This flaw allows unauthenticated attackers to send requests to the webhook endpoint and modify the status of arbitrary WooCommerce orders without proper authorization.

Impact Analysis

This vulnerability can allow attackers to change the status of WooCommerce orders without authentication. This could lead to unauthorized order modifications, potentially causing financial discrepancies, order fulfillment issues, or manipulation of payment statuses in your e-commerce store.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14978. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart