{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11890", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T19:01:24.095Z", "datePublished": "2025-11-04T04:27:16.569Z", "dateUpdated": "2026-04-08T16:49:12.817Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:12.817Z"}, "affected": [{"vendor": "beycanpress", "product": "Crypto Payment Gateway with Payeer for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue."}], "title": "Crypto Payment Gateway with Payeer for WooCommerce <= 1.0.3 - Unauthenticated Payment Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43ca1393-637d-48e2-84f3-a06a4f0d83d1?source=cve"}, {"url": "https://wordpress.org/plugins/crypto-payment-gateway-with-payeer-for-woocommerce/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-11-03T15:59:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T16:47:50.125808Z", "id": "CVE-2025-11890", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:47:59.207Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T16:47:50.125808Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:47:55.464Z"}}], "cna": {"title": "Crypto Payment Gateway with Payeer for WooCommerce <= 1.0.3 - Unauthenticated Payment Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "beycanpress", "product": "Crypto Payment Gateway with Payeer for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T15:59:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43ca1393-637d-48e2-84f3-a06a4f0d83d1?source=cve"}, {"url": "https://wordpress.org/plugins/crypto-payment-gateway-with-payeer-for-woocommerce/"}], "descriptions": [{"lang": "en", "value": "The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:12.817Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11890", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:12.817Z", "dateReserved": "2025-10-16T19:01:24.095Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:16.569Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue."}], "id": "CVE-2025-11890", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:04.337", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/crypto-payment-gateway-with-payeer-for-woocommerce/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43ca1393-637d-48e2-84f3-a06a4f0d83d1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:32:49.679079+00:00", "value": {"mitigation_remediation": ["Upgrade the Crypto Payment Gateway with Payeer for WooCommerce plugin to the latest version that includes the server\u2011side payment status validation.", "If an immediate update is not possible, block external access to the /wc-api/bp-payeer-gateway-callback endpoint or restrict it to trusted IP addresses only.", "Implement server\u2011side checks to verify that payment callbacks originate from the legitimate Payeer service before changing order status."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated Payment Bypass"}, "threat_synthesis": {"affected_systems": "WordPress sites using the beycanpress Crypto Payment Gateway with Payeer for WooCommerce plugin, versions <= 1.0.3.", "description_and_impact": "The Crypto Payment Gateway with Payeer for WooCommerce plugin allows attackers to change the status of an unpaid order to paid without authentication. The flaw is caused by missing server\u2011side validation on the /wc-api/bp-payeer-gateway-callback endpoint, which lets an attacker forge a request and trigger state changes. This results in unauthorized revenue loss and violates the integrity of transaction data.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.5, indicating high severity, while the EPSS score is below 1% suggesting exploitation is unlikely but still possible. It is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP request to the payment callback endpoint, allowing the attacker to modify order status server\u2011side."}}}}, "created": "2025-11-04T16:33:11.071495+00:00", "updated": "2026-04-22T12:45:17.020108+00:00", "vendors": ["beycanpress", "beycanpress$PRODUCT$crypto_payment_gateway_with_payeer_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}