CVE-2025-14461
Unauthorized Order Status Manipulation in Xendit WooCommerce Plugin
Publication date: 2026-02-04
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xendit | woocommerce_xendit_virtual_accounts | to 6.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Xendit Payment plugin for WordPress, used in WooCommerce, has a vulnerability in all versions up to and including 6.0.2. It exposes a publicly accessible API callback endpoint that processes payment notifications without any authentication or cryptographic verification. This means attackers can send crafted requests pretending to be the payment gateway.
Specifically, an attacker can send a POST request to the callback URL with a JSON body containing an order ID and a status of 'PAID' or 'SETTLED'. Since order IDs are sequential integers and can be enumerated, attackers can mark any order as paid without actually making a payment.
This unauthorized order status manipulation leads to fraudulent completion of orders.
How can this vulnerability impact me? :
This vulnerability can cause significant financial loss because attackers can mark orders as paid without actual payment. This fraudulent order completion can also lead to inventory depletion, as the system will treat these orders as legitimate and allocate stock accordingly.
Additionally, it undermines the integrity of the order management system, potentially causing operational disruptions and loss of customer trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized POST requests to the publicly accessible WooCommerce API callback endpoint `wc_xendit_callback`. Specifically, look for POST requests containing JSON bodies with an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED' that are not originating from the legitimate Xendit payment gateway."}, {'type': 'paragraph', 'content': 'To detect such activity on your system or network, you can use network monitoring or web server access logs to filter for suspicious POST requests to the callback URL.'}, {'type': 'list_item', 'content': "Use command-line tools like `grep` or `awk` on your web server logs to find POST requests to the endpoint, for example: `grep 'POST /wc-api/wc_xendit_callback' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Use `curl` to test the endpoint manually by sending a crafted POST request with a JSON body containing an `external_id` and `status` fields to see if the order status can be manipulated.'}, {'type': 'list_item', 'content': "Monitor WooCommerce order status changes for unexpected transitions to 'paid' or 'settled' without corresponding payment confirmations."}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable WooCommerce API callback endpoint (`wc_xendit_callback`) to only trusted sources, such as the legitimate Xendit payment gateway IP addresses.
Implement authentication or cryptographic verification on the callback endpoint to ensure that only valid requests from Xendit are processed.
If possible, update the WooCommerce Xendit Virtual Accounts plugin to a version that patches this vulnerability or apply any available security patches.
Monitor and audit order status changes closely to detect any fraudulent activity early.
Consider temporarily disabling the Xendit payment method in WooCommerce until a secure fix is applied.