CVE-2025-14294
Unauthorized Data Modification in Razorpay WooCommerce Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| razorpay | woo_razorpay | to 4.7.8 (inc) |
| razorpay | woo_razorpay | 4.7.9 |
| razorpay | woocommerce_plugin | to 4.7.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Razorpay for WooCommerce plugin for WordPress, specifically in all versions up to and including 4.7.8. It is caused by a missing capability check on the getCouponList() function. The function checkAuthCredentials(), which is supposed to verify permissions, always returns true, meaning no actual authentication is performed.
Because of this, unauthenticated attackers can exploit the API to modify billing and shipping contact information (email and phone) of any WooCommerce order simply by knowing or guessing the order ID.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify sensitive order data such as billing and shipping contact information (email and phone) for any WooCommerce order if they know or can guess the order ID.
Such unauthorized modifications can lead to order manipulation, misdirected shipments, fraudulent activities, and potential disruption of business operations.
Since attackers do not need to authenticate, the risk of exploitation is higher, potentially affecting customer trust and order integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized modification of WooCommerce order data via the getCouponList() API endpoint due to missing proper authentication. Detection can focus on monitoring unauthorized or suspicious API requests to the Razorpay WooCommerce plugin endpoints, especially those attempting to modify billing or shipping contact information by guessing order IDs.'}, {'type': 'paragraph', 'content': 'Since the vulnerable versions lack proper HMAC signature verification and always return true on checkAuthCredentials(), you can detect exploitation attempts by looking for REST API POST requests to endpoints like `/wp-json/1cc/v1/coupon/list` or `/wp-json/1cc/v1/coupon/apply` that do not include valid `X-Razorpay-Signature` headers or come from unauthenticated sources.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., Apache or Nginx) to search for POST requests to the Razorpay API endpoints without valid HMAC signatures or from unusual IP addresses.'}, {'type': 'list_item', 'content': 'Example command to search access logs for requests to the coupon list API endpoint:'}, {'type': 'list_item', 'content': "grep 'POST /wp-json/1cc/v1/coupon/list' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Check for missing or invalid `X-Razorpay-Signature` headers by inspecting logs or using a web application firewall (WAF) to flag requests lacking this header.'}, {'type': 'list_item', 'content': 'Monitor WooCommerce order meta changes, especially billing and shipping email or phone fields, for unexpected modifications that could indicate exploitation.'}, {'type': 'list_item', 'content': 'If you have access to the WordPress database, you can query recent changes to order meta fields related to billing and shipping contacts to identify suspicious updates.'}] [1, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should upgrade the Razorpay WooCommerce plugin to version 4.7.9 or later, where the vulnerability is fixed by enforcing proper HMAC signature verification and secret management for API requests.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider the following temporary mitigations:'}, {'type': 'list_item', 'content': 'Restrict access to the vulnerable API endpoints (e.g., `/wp-json/1cc/v1/coupon/list`) by IP address or via firewall rules to trusted sources only.'}, {'type': 'list_item', 'content': "Disable or restrict the Razorpay WooCommerce plugin's REST API endpoints until a patch can be applied."}, {'type': 'list_item', 'content': 'Monitor and audit WooCommerce order meta data for unauthorized changes to billing and shipping contact information.'}, {'type': 'list_item', 'content': 'Implement web application firewall (WAF) rules to block requests missing the `X-Razorpay-Signature` header or with invalid signatures.'}, {'type': 'paragraph', 'content': 'Ultimately, applying the official security update (version 4.7.9) is the recommended and most effective mitigation, as it introduces strict HMAC signature verification, secret synchronization, and improved API authentication.'}] [1, 4, 5]