CVE-2025-14294
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Data Modification in Razorpay WooCommerce Plugin

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14294
EUVD
EUVD-2025-207873
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
razorpay woo_razorpay to 4.7.8 (inc)
razorpay woo_razorpay 4.7.9
razorpay woocommerce_plugin to 4.7.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Razorpay for WooCommerce plugin for WordPress, specifically in all versions up to and including 4.7.8. It is caused by a missing capability check on the getCouponList() function. The function checkAuthCredentials(), which is supposed to verify permissions, always returns true, meaning no actual authentication is performed.

Because of this, unauthenticated attackers can exploit the API to modify billing and shipping contact information (email and phone) of any WooCommerce order simply by knowing or guessing the order ID.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify sensitive order data such as billing and shipping contact information (email and phone) for any WooCommerce order if they know or can guess the order ID.

Such unauthorized modifications can lead to order manipulation, misdirected shipments, fraudulent activities, and potential disruption of business operations.

Since attackers do not need to authenticate, the risk of exploitation is higher, potentially affecting customer trust and order integrity.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized modification of WooCommerce order data via the getCouponList() API endpoint due to missing proper authentication. Detection can focus on monitoring unauthorized or suspicious API requests to the Razorpay WooCommerce plugin endpoints, especially those attempting to modify billing or shipping contact information by guessing order IDs.'}, {'type': 'paragraph', 'content': 'Since the vulnerable versions lack proper HMAC signature verification and always return true on checkAuthCredentials(), you can detect exploitation attempts by looking for REST API POST requests to endpoints like `/wp-json/1cc/v1/coupon/list` or `/wp-json/1cc/v1/coupon/apply` that do not include valid `X-Razorpay-Signature` headers or come from unauthenticated sources.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., Apache or Nginx) to search for POST requests to the Razorpay API endpoints without valid HMAC signatures or from unusual IP addresses.'}, {'type': 'list_item', 'content': 'Example command to search access logs for requests to the coupon list API endpoint:'}, {'type': 'list_item', 'content': "grep 'POST /wp-json/1cc/v1/coupon/list' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Check for missing or invalid `X-Razorpay-Signature` headers by inspecting logs or using a web application firewall (WAF) to flag requests lacking this header.'}, {'type': 'list_item', 'content': 'Monitor WooCommerce order meta changes, especially billing and shipping email or phone fields, for unexpected modifications that could indicate exploitation.'}, {'type': 'list_item', 'content': 'If you have access to the WordPress database, you can query recent changes to order meta fields related to billing and shipping contacts to identify suspicious updates.'}] [1, 3, 5]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should upgrade the Razorpay WooCommerce plugin to version 4.7.9 or later, where the vulnerability is fixed by enforcing proper HMAC signature verification and secret management for API requests.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider the following temporary mitigations:'}, {'type': 'list_item', 'content': 'Restrict access to the vulnerable API endpoints (e.g., `/wp-json/1cc/v1/coupon/list`) by IP address or via firewall rules to trusted sources only.'}, {'type': 'list_item', 'content': "Disable or restrict the Razorpay WooCommerce plugin's REST API endpoints until a patch can be applied."}, {'type': 'list_item', 'content': 'Monitor and audit WooCommerce order meta data for unauthorized changes to billing and shipping contact information.'}, {'type': 'list_item', 'content': 'Implement web application firewall (WAF) rules to block requests missing the `X-Razorpay-Signature` header or with invalid signatures.'}, {'type': 'paragraph', 'content': 'Ultimately, applying the official security update (version 4.7.9) is the recommended and most effective mitigation, as it introduces strict HMAC signature verification, secret synchronization, and improved API authentication.'}] [1, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart