{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11728", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-13T22:54:55.316Z", "datePublished": "2025-10-15T08:26:03.227Z", "dateUpdated": "2026-04-08T17:20:52.074Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:52.074Z"}, "affected": [{"vendor": "oceanpayment", "product": "Oceanpayment CreditCard Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs."}], "title": "Oceanpayment CreditCard Gateway <= 6.0 - Missing Authentication to Unauthenticated Order Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c560bc33-d664-433e-bfd9-e4fa1776bb76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L594"}, {"url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L489"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-14T19:36:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T13:51:08.490636Z", "id": "CVE-2025-11728", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:52:55.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11728", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T13:51:08.490636Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:51:22.851Z"}}], "cna": {"title": "Oceanpayment CreditCard Gateway <= 6.0 - Missing Authentication to Unauthenticated Order Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "oceanpayment", "product": "Oceanpayment CreditCard Gateway", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:36:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c560bc33-d664-433e-bfd9-e4fa1776bb76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L594"}, {"url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L489"}], "descriptions": [{"lang": "en", "value": "The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:52.074Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11728", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:52.074Z", "dateReserved": "2025-10-13T22:54:55.316Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:26:03.227Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs."}], "id": "CVE-2025-11728", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:43.307", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L489"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L594"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c560bc33-d664-433e-bfd9-e4fa1776bb76?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:19:00.687495+00:00", "value": {"mitigation_remediation": ["Upgrade the Oceanpayment CreditCard Gateway plugin to a version newer than 6.0.", "If an update is not immediately feasible, restrict access to the plugin\u2019s payment handling URLs via firewall rules or IP whitelisting to limit exposure to trusted hosts.", "Modify the plugin\u2019s 'return_payment' and 'notice_payment' functions to include proper authentication checks such as verifying user roles or WordPress nonces before processing order updates."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of orders and transaction IDs in WooCommerce"}, "threat_synthesis": {"affected_systems": "oceanpayment:Oceanpayment CreditCard Gateway, all versions up to and including 6.0, deployed on WordPress sites running WooCommerce.", "description_and_impact": "The Oceanpayment CreditCard Gateway plugin allows unauthenticated users to invoke the 'return_payment' and 'notice_payment' functions without any authentication or capability checks. This flaw lets an attacker alter the status of WooCommerce orders, setting them to 'failed', and can also change transaction identifiers. The impact is loss of order integrity and potential financial misreporting, as the attacker can manipulate order history and payment data without needing valid credentials.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred as unauthenticated HTTP requests to the plugin\u2019s exposed endpoints, as the functions are callable without authentication checks."}}}}, "created": "2025-10-20T13:26:55.419898+00:00", "updated": "2026-04-21T02:30:25.822662+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}