{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14078", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T22:46:03.449Z", "datePublished": "2026-01-17T08:24:31.760Z", "dateUpdated": "2026-04-08T17:11:40.274Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:40.274Z"}, "affected": [{"vendor": "shoheitanaka", "product": "PAYGENT for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint."}], "title": "PAYGENT for WooCommerce <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Benachi"}, {"lang": "en", "type": "finder", "value": "Terumi Benamou"}], "timeline": [{"time": "2025-12-18T17:14:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-16T19:57:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T19:18:17.367271Z", "id": "CVE-2025-14078", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T19:23:14.231Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14078", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T19:18:17.367271Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T19:18:21.136Z"}}], "cna": {"title": "PAYGENT for WooCommerce <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Benachi"}, {"lang": "en", "type": "finder", "value": "Terumi Benamou"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "shoheitanaka", "product": "PAYGENT for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-18T17:14:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-16T19:57:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:40.274Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14078", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:40.274Z", "dateReserved": "2025-12-04T22:46:03.449Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-17T08:24:31.760Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint."}, {"lang": "es", "value": "El plugin PAYGENT para WooCommerce para WordPress es vulnerable a Falta de Autorizaci\u00f3n en todas las versiones hasta la 2.4.6, inclusive. Esto se debe a la falta de comprobaciones de autorizaci\u00f3n en la funci\u00f3n paygent_check_webhook, combinada con el hecho de que la funci\u00f3n paygent_permission_callback devuelve 'true' incondicionalmente en la l\u00ednea 199. Esto hace posible que atacantes no autenticados manipulen las devoluciones de llamada de pago y modifiquen los estados de los pedidos enviando notificaciones de pago falsificadas a trav\u00e9s del endpoint '/wp-json/paygent/v1/check/'."}], "id": "CVE-2025-14078", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-17T09:15:51.390", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:17:28.212430+00:00", "value": {"mitigation_remediation": ["Upgrade the PAYGENT for WooCommerce plug\u2011in to the latest version (>=\u202f2.4.7) where the monitor endpoint requires proper authentication.", "If the upgrade cannot be performed immediately, lock down the /wp-json/paygent/v1/check/ endpoint by adding authentication (e.g., HTTP Basic Auth) or by completely disabling it through a custom rule or plugin modification.", "After remediation, audit order logs for any unauthorized status changes and reconcile affected orders to prevent financial loss."], "summary": {"action": "Patch Now", "impact": "Unauthorized Order Status Modification"}, "threat_synthesis": {"affected_systems": "This weakness is present in the shoheitanaka \u201cPAYGENT for WooCommerce\u201d WordPress plug\u2011in, affecting every release up to and including version\u202f2.4.6. Site administrators running any of these versions are susceptible because the flaw is in the core endpoint logic and is not limited by other configuration settings. Versions newer than 2.4.6 are exempt, but no version list is explicitly supplied in the original data.", "description_and_impact": "The PAYGENT for WooCommerce plug\u2011in for WordPress contains a missing authorization flaw that allows an unauthenticated attacker to trigger the paygent_check_webhook endpoint. The callback logic itself performs no authentication, and the permission callback always returns true, so crafted POST requests to the exposed /wp-json/paygent/v1/check/ URL can be used to spoof payment notifications. By doing so, an attacker can alter the status of existing orders, promote pending orders to paid, or downgrade confirmed payments, thereby enabling financial fraud or denial of service to legitimate customers.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than\u202f1\u202f% suggests a low current probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, but the absence of authentication on a public REST endpoint means that an attacker can exercise the vulnerability from any network with access to the site. The impact is primarily on data integrity and financial loss rather than code execution, and mitigation hinges on updating the plug\u2011in or blocking the endpoint until a patch becomes available."}}}}, "created": "2026-01-19T09:19:25.834881+00:00", "updated": "2026-04-21T16:30:40.670201+00:00", "vendors": ["shoheitanaka", "shoheitanaka$PRODUCT$japanized_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}