CVE-2025-15512
Unknown Unknown - Not Provided
Unauthorized Data Modification in Aplazo Plugin via Missing Capability Check

Publication date: 2026-01-14

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-14
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15512
EUVD
EUVD-2026-2528
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aplazo payment_gateway to 1.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Aplazo Payment Gateway plugin for WordPress exists because the check_success_response() function lacks a capability check. This allows unauthenticated attackers to modify WooCommerce orders by setting any order's status to 'pending payment' without proper authorization. Essentially, attackers can manipulate order statuses without being logged in or having permissions. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to change the status of WooCommerce orders to 'pending payment'. This could lead to confusion in order processing, potential disruption of sales workflows, and inaccurate order status reporting. It may also be exploited to interfere with payment processing or order fulfillment. [1]

Detection Guidance

You can detect this vulnerability by checking if your WordPress installation uses the Aplazo Payment Gateway plugin version 1.4.2 or earlier. Specifically, look for the presence of the AJAX endpoint 'check_success_response' which allows unauthenticated requests to set WooCommerce orders to 'pending payment' status. To detect exploitation attempts, monitor your web server logs for POST requests to 'wp-admin/admin-ajax.php' with the action parameter 'check_success_response' coming from unauthenticated sources. Example command to search Apache logs for such requests: grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=check_success_response'. Additionally, you can query your WooCommerce orders for unexpected status changes to 'pending payment' that were not initiated by authenticated users. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Aplazo Payment Gateway plugin to a version later than 1.4.2 where the missing capability check is fixed. If an update is not yet available, temporarily disable the plugin to prevent exploitation. Additionally, restrict access to the AJAX endpoint 'check_success_response' by implementing authentication checks or firewall rules to block unauthenticated requests. Monitor WooCommerce orders for suspicious status changes and review logs for unauthorized activity. Consider applying custom code patches to add capability checks to the 'check_success_response' function until an official fix is released. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart