{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14460", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T15:56:31.158Z", "datePublished": "2026-01-07T09:21:04.538Z", "dateUpdated": "2026-04-08T17:26:39.127Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:39.127Z"}, "affected": [{"vendor": "enartia", "product": "Piraeus Bank WooCommerce Payment Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue."}], "title": "Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439515/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-01-06T20:29:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:48:55.317330Z", "id": "CVE-2025-14460", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:49:41.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14460", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:48:55.317330Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:49:37.801Z"}}], "cna": {"title": "Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "enartia", "product": "Piraeus Bank WooCommerce Payment Gateway", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T20:29:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821"}], "descriptions": [{"lang": "en", "value": "The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-07T09:21:04.538Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14460", "state": "PUBLISHED", "dateUpdated": "2026-01-07T14:49:41.847Z", "dateReserved": "2025-12-10T15:56:31.158Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T09:21:04.538Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue."}, {"lang": "es", "value": "El plugin de pasarela de pago WooCommerce de Piraeus Bank para WordPress es vulnerable a la modificaci\u00f3n no autorizada del estado de los pedidos en todas las versiones hasta la 3.1.4, inclusive. Esto se debe a la falta de comprobaciones de autorizaci\u00f3n en el manejador del endpoint de devoluci\u00f3n de llamada de pago al procesar la devoluci\u00f3n de llamada 'fail' de la pasarela de pago. Esto hace posible que atacantes no autenticados cambien el estado de cualquier pedido a 'failed' a trav\u00e9s del endpoint de la API de WooCommerce de acceso p\u00fablico, proporcionando solo el ID del pedido (par\u00e1metro MerchantReference), que puede ser f\u00e1cilmente enumerado ya que los IDs de los pedidos son enteros secuenciales. Esto puede causar una interrupci\u00f3n significativa del negocio, incluyendo env\u00edos cancelados, problemas de inventario y p\u00e9rdida de ingresos."}], "id": "CVE-2025-14460", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:54.903", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3439515/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:14:36.145474+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update (3.1.5 or newer) that restores proper authorization checks for the payment callback endpoint.", "If an update is not immediately available, restrict the payment callback endpoint to authenticated users or implement a whitelist of IP addresses that can invoke the endpoint.", "Set up monitoring or logging of WooCommerce order status changes, and configure alerts for unexpected state transitions to detect unauthorized activity early."], "summary": {"action": "Patch", "impact": "Unauthorized Order Status Change"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the enartia Piraeus Bank WooCommerce Payment Gateway plugin for WordPress, in all releases up to and including version 3.1.4. WordPress sites that have installed these versions of the plugin are susceptible.", "description_and_impact": "The Piraeus Bank WooCommerce Payment Gateway plugin is vulnerable because it omits Authorization checks in the payment callback handler when processing a 'fail' callback. This omission permits unauthenticated users to set any order\u2019s status to 'failed' by submitting only the sequentially\u2013enumerated order ID (MerchantReference). The result is unauthorized order status modification, which can trigger invoice cancellation, shipment cancellation, inventory inconsistencies, and revenue loss. The flaw is a classic Missing Authorization (CWE\u2011862) weakness.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity for an unauthorized modification that impacts business availability. The EPSS score of less than 1\u202f% signals a low probability of real\u2011world exploitation. The issue is not listed in CISA\u2019s KEV catalog, further suggesting limited exploitation activity. Attackers can exploit the publicly reachable WooCommerce API endpoint with no credentials and can easily enumerate order IDs due to their sequential nature, enabling mass\u2011status changes and operational disruption."}}}}, "created": "2026-01-08T09:49:59.441148+00:00", "updated": "2026-04-20T21:15:20.642795+00:00", "vendors": ["enartia", "enartia$PRODUCT$piraeus_bank_woocommerce_payment_gateway", "wordpress", "wordpress$PRODUCT$wordpress"]}