{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14450", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T14:23:46.780Z", "datePublished": "2026-01-17T02:22:31.567Z", "dateUpdated": "2026-04-08T16:49:48.052Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:48.052Z"}, "affected": [{"vendor": "wpswings", "product": "Wallet System for WooCommerce \u2013 Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances."}], "title": "Wallet System for WooCommerce <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140"}, {"url": "https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-10T14:38:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-16T14:05:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T18:40:13.783068Z", "id": "CVE-2025-14450", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T19:24:20.682Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14450", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T18:40:13.783068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:40:27.357Z"}}], "cna": {"title": "Wallet System for WooCommerce <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "wpswings", "product": "Wallet System for WooCommerce \u2013 Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.7.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-10T14:38:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-16T14:05:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140"}, {"url": "https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:48.052Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14450", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:48.052Z", "dateReserved": "2025-12-10T14:23:46.780Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-17T02:22:31.567Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances."}, {"lang": "es", "value": "El plugin Wallet System para WooCommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'change_wallet_fund_request_status_callback' en todas las versiones hasta la 2.7.2, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, manipulen las solicitudes de retiro de monedero y aumenten arbitrariamente su saldo de monedero o disminuyan los saldos de otros usuarios."}], "id": "CVE-2025-14450", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-17T03:16:03.367", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:19:45.921234+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of the plugin (e.g., 2.7.3 or later) that includes the missing capability check.", "If an immediate update is unavailable, restrict usage of the wallet component to administrator\u2011level users only or temporarily deactivate the feature until a patch is applied.", "Monitor transaction logs and wallet balances for abnormal activity, and revoke or downgrade compromised user accounts."], "summary": {"action": "Upgrade Plugin", "impact": "Arbitrary wallet balance manipulation"}, "threat_synthesis": {"affected_systems": "Vulnerable versions include all releases of Wallet System for WooCommerce up to and including 2.7.2, which is distributed by wpswings under the nickname \u2018Digital Wallet, Buy Now Pay Later, Instant Cashback, Referral program, Partial & Subscription Payments.\u2019 Sites running any of these versions on WordPress are within scope.", "description_and_impact": "An authenticated user with at least Subscriber role can alter wallet withdrawal requests by calling the \u2018change_wallet_fund_request_status_callback\u2019 endpoint without proper capability checks. This flaw permits the attacker to arbitrarily increase their own wallet balance or debit other users, leading to financial abuse.", "risk_and_exploitability": "CVSS score 6.5 indicates a moderate severity, while EPSS <1% signals low likelihood of public exploitation at this time. The flaw is not listed in CISA KEV, but any authenticated attacker can exploit it by simply performing a suitable AJAX request after login. Successful exploitation results in unauthorized balance manipulation, potentially inflating the attacker's funds or depleting others, damaging customer trust and financial integrity."}}}}, "created": "2026-01-19T09:19:29.854274+00:00", "updated": "2026-04-21T16:30:40.675598+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpswings", "wpswings$PRODUCT$wallet_system_for_woocommerce"]}