CVE-2025-15512
Unauthorized Data Modification in Aplazo Plugin via Missing Capability Check
Publication date: 2026-01-14
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aplazo | payment_gateway | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Aplazo Payment Gateway plugin for WordPress exists because the check_success_response() function lacks a capability check. This allows unauthenticated attackers to modify WooCommerce orders by setting any order's status to 'pending payment' without proper authorization. Essentially, attackers can manipulate order statuses without being logged in or having permissions. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to change the status of WooCommerce orders to 'pending payment'. This could lead to confusion in order processing, potential disruption of sales workflows, and inaccurate order status reporting. It may also be exploited to interfere with payment processing or order fulfillment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress installation uses the Aplazo Payment Gateway plugin version 1.4.2 or earlier. Specifically, look for the presence of the AJAX endpoint 'check_success_response' which allows unauthenticated requests to set WooCommerce orders to 'pending payment' status. To detect exploitation attempts, monitor your web server logs for POST requests to 'wp-admin/admin-ajax.php' with the action parameter 'check_success_response' coming from unauthenticated sources. Example command to search Apache logs for such requests: grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=check_success_response'. Additionally, you can query your WooCommerce orders for unexpected status changes to 'pending payment' that were not initiated by authenticated users. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Aplazo Payment Gateway plugin to a version later than 1.4.2 where the missing capability check is fixed. If an update is not yet available, temporarily disable the plugin to prevent exploitation. Additionally, restrict access to the AJAX endpoint 'check_success_response' by implementing authentication checks or firewall rules to block unauthenticated requests. Monitor WooCommerce orders for suspicious status changes and review logs for unauthorized activity. Consider applying custom code patches to add capability checks to the 'check_success_response' function until an official fix is released. [1]