CVE-2025-15513
Unauthorized Data Modification in Float Payment Gateway Plugin
Publication date: 2026-01-14
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| float | payment_gateway | to 1.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Float Payment Gateway plugin for WordPress is due to improper error handling in the verifyFloatResponse() function. This flaw allows unauthenticated attackers to manipulate the verification process and mark any WooCommerce order as failed without authorization.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to mark legitimate WooCommerce orders as failed. This could disrupt order processing, cause confusion for customers and merchants, and potentially lead to loss of sales or trust in the payment system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring WooCommerce orders for unauthorized status changes to 'failed' without corresponding legitimate payment failures. Since the vulnerability exploits improper error handling in the verifyFloatResponse() function allowing unauthenticated attackers to mark orders as failed, you can audit WooCommerce order logs and check for unexpected order status changes. Additionally, inspecting HTTP POST callbacks to the Float Payment Gateway plugin endpoint for suspicious or malformed requests containing the 'transaction_verify' nonce can help detect exploitation attempts. Specific commands depend on your server environment, but for example, on a Linux server you can use: 1) To check web server logs for POST requests to the Float callback endpoint: `grep 'POST /wp-content/plugins/float-gateway/' /var/log/apache2/access.log` or equivalent for your web server logs. 2) To search for WooCommerce order status changes in the database, you can run SQL queries on the WordPress database, e.g.: `SELECT ID, post_status, post_date FROM wp_posts WHERE post_type = 'shop_order' AND post_status = 'wc-failed' ORDER BY post_date DESC LIMIT 100;` 3) To monitor real-time logs for suspicious activity: `tail -f /var/log/apache2/access.log | grep 'float'` Adjust paths and commands according to your environment. These steps help identify potential exploitation attempts or unauthorized order modifications. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Update the Float Payment Gateway plugin to a version later than 1.1.9 where the vulnerability is fixed, if available. 2) If an update is not yet available, temporarily disable the Float Payment Gateway plugin to prevent exploitation. 3) Monitor WooCommerce orders for unauthorized status changes and manually verify any failed orders. 4) Restrict access to the plugin's callback endpoints by implementing firewall rules or web application firewall (WAF) rules to allow only trusted IPs or block suspicious requests. 5) Enable debug mode in the plugin settings to log detailed information for investigation. 6) Review and harden server and WordPress security configurations to reduce attack surface. These steps help prevent unauthorized marking of orders as failed until a patch is applied. [2]