{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12392", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T13:28:46.120Z", "datePublished": "2025-11-18T09:27:39.093Z", "dateUpdated": "2026-04-08T17:10:19.397Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:19.397Z"}, "affected": [{"vendor": "tripleatechnology", "product": "Cryptocurrency Payment Gateway for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.25", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.25. This makes it possible for unauthenticated attackers to opt in and out of tracking."}], "title": "Cryptocurrency Payment Gateway for WooCommerce <= 2.0.25 - Missing Authorization to Unauthenticated Tracking Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d48392-fb64-4e5e-be9c-21df0bf75de6?source=cve"}, {"url": "https://wordpress.org/plugins/triplea-cryptocurrency-payment-gateway-for-woocommerce/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3446959%40triplea-cryptocurrency-payment-gateway-for-woocommerce&new=3446959%40triplea-cryptocurrency-payment-gateway-for-woocommerce&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-11-17T20:53:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T21:09:20.833273Z", "id": "CVE-2025-12392", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:09:29.750Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12392", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T21:09:20.833273Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:09:25.637Z"}}], "cna": {"title": "Cryptocurrency Payment Gateway for WooCommerce <= 2.0.25 - Missing Authorization to Unauthenticated Tracking Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "tripleatechnology", "product": "Cryptocurrency Payment Gateway for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.25"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-17T20:53:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d48392-fb64-4e5e-be9c-21df0bf75de6?source=cve"}, {"url": "https://wordpress.org/plugins/triplea-cryptocurrency-payment-gateway-for-woocommerce/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3446959%40triplea-cryptocurrency-payment-gateway-for-woocommerce&new=3446959%40triplea-cryptocurrency-payment-gateway-for-woocommerce&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.25. This makes it possible for unauthenticated attackers to opt in and out of tracking."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:19.397Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12392", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:19.397Z", "dateReserved": "2025-10-28T13:28:46.120Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T09:27:39.093Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.25. This makes it possible for unauthenticated attackers to opt in and out of tracking."}], "id": "CVE-2025-12392", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T10:15:47.480", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3446959%40triplea-cryptocurrency-payment-gateway-for-woocommerce&new=3446959%40triplea-cryptocurrency-payment-gateway-for-woocommerce&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/triplea-cryptocurrency-payment-gateway-for-woocommerce/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d48392-fb64-4e5e-be9c-21df0bf75de6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:23:34.136879+00:00", "value": {"mitigation_remediation": ["Update the plugin to the latest available version, which removes the missing capability check.", "If immediate update is not possible, limit access to the opt\u2011in/out endpoint by restricting it to users with administrative privileges, for example through role\u2011based access control settings or server\u2011level access rules.", "Enable logging for plugin configuration changes and review logs regularly for unauthorized opt\u2011in/out activity."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have installed the Tripleatechnology Cryptocurrency Payment Gateway for WooCommerce plugin, version 2.0.25 or earlier, are affected. Sites running the plugin on any WooCommerce installation up to the stated version are vulnerable until an update is applied.", "description_and_impact": "The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress suffers from a missing capability check in the 'handle_optin_optout' function, allowing unauthenticated users to toggle tracking opt\u2011in status. This flaw enables attackers to alter plugin configuration data without permission, exposing sensitive user tracking preferences. The weakness is classified as CWE-862, representing a lack of proper access control.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The flaw is not listed in the CISA KEV catalog. The likely attack vector is via the publicly accessible plugin endpoint that handles opt\u2011in/out requests, meaning an attacker can exploit this issue without authentication or an existing WordPress session."}}}}, "created": "2025-11-19T10:48:08.982466+00:00", "updated": "2026-04-22T12:30:16.833130+00:00", "vendors": ["tripleatechnology", "tripleatechnology$PRODUCT$cryptocurrency_payment_gateway_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}