CVE-2025-14978
Unauthorized Data Modification in PeachPay WooCommerce Plugin
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| peachpay | peachpay_for_woocommerce | to 1.119.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring unauthorized POST requests to the REST API endpoint `/wp-json/peachpay/v1/convesiopay/webhook` which lacks proper capability checks. You can use network monitoring tools or web server logs to identify suspicious or unexpected POST requests to this endpoint. For example, using curl to test the endpoint or checking logs for POST requests without proper authentication. Commands to detect such activity might include: 1. Using curl to test the webhook endpoint: curl -X POST https://yourdomain.com/wp-json/peachpay/v1/convesiopay/webhook -d '{}' 2. Using grep on web server access logs to find POST requests to the webhook: grep 'POST /wp-json/peachpay/v1/convesiopay/webhook' /var/log/apache2/access.log 3. Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the endpoint. Since the vulnerability allows unauthenticated modification of WooCommerce order statuses via this webhook, monitoring for unexpected changes in order statuses or unusual webhook activity is also recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the PeachPay for WooCommerce plugin to a version later than 1.119.8 where the missing capability checks on the ConvesioPay webhook REST endpoint are fixed. 2. If an update is not immediately possible, restrict access to the webhook endpoint `/wp-json/peachpay/v1/convesiopay/webhook` by implementing firewall rules or web server access controls to allow only trusted IP addresses (such as ConvesioPay servers). 3. Monitor WooCommerce order statuses for unauthorized changes. 4. Consider temporarily disabling the PeachPay plugin or the webhook route if feasible until a patch is applied. These steps help prevent unauthenticated attackers from modifying order statuses via the vulnerable webhook endpoint. [2]
Can you explain this vulnerability to me?
The vulnerability in the PeachPay for WooCommerce plugin is due to missing capability checks on the ConvesioPay webhook REST endpoint. This flaw allows unauthenticated attackers to send requests to the webhook endpoint and modify the status of arbitrary WooCommerce orders without proper authorization.
How can this vulnerability impact me? :
This vulnerability can allow attackers to change the status of WooCommerce orders without authentication. This could lead to unauthorized order modifications, potentially causing financial discrepancies, order fulfillment issues, or manipulation of payment statuses in your e-commerce store.