{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14843", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-17T18:02:47.010Z", "datePublished": "2026-01-24T07:26:46.217Z", "dateUpdated": "2026-04-08T17:17:28.159Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:28.159Z"}, "affected": [{"vendor": "wizit", "product": "Wizit Gateway for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID."}], "title": "Wizit Gateway for WooCommerce <= 1.2.9 - Missing Authentication to Unauthenticated Arbitrary Order Cancellation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "MD. TAREQ AHAMED JONY"}], "timeline": [{"time": "2025-12-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-23T19:23:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T15:34:01.390359Z", "id": "CVE-2025-14843", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:44:44.088Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14843", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T15:34:01.390359Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:34:02.658Z"}}], "cna": {"title": "Wizit Gateway for WooCommerce <= 1.2.9 - Missing Authentication to Unauthenticated Arbitrary Order Cancellation", "credits": [{"lang": "en", "type": "finder", "value": "MD. TAREQ AHAMED JONY"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wizit", "product": "Wizit Gateway for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-15T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-23T19:23:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249"}], "descriptions": [{"lang": "en", "value": "The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:28.159Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14843", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:28.159Z", "dateReserved": "2025-12-17T18:02:47.010Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T07:26:46.217Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID."}, {"lang": "es", "value": "El plugin Wizit Gateway para WooCommerce para WordPress es vulnerable a la Cancelaci\u00f3n Arbitraria de Pedidos No Autenticada en todas las versiones hasta la 1.2.9, inclusive. Esto se debe a una falta de comprobaciones de autenticaci\u00f3n y autorizaci\u00f3n en la funci\u00f3n 'handle_checkout_redirecturl_response'. Esto hace posible que atacantes no autenticados cancelen pedidos arbitrarios de WooCommerce enviando una solicitud manipulada con un ID de pedido v\u00e1lido."}], "id": "CVE-2025-14843", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T08:16:06.073", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:00:16.996479+00:00", "value": {"mitigation_remediation": ["Upgrade the Wizit Gateway for WooCommerce plugin to a version that implements proper authentication and authorization checks for order cancellation requests.", "If an update is not available, restrict access to the checkout redirect URL endpoint by requiring administrative or logged\u2011in user privileges, or by disabling the endpoint altogether for non\u2011admin users.", "Enable logging of order status changes and monitor for anomalous cancellations; promptly investigate and block any IP addresses or users that trigger unexpected order cancellations."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Order Cancellation"}, "threat_synthesis": {"affected_systems": "All installations of the Wizit Gateway for WooCommerce plugin up to and including version 1.2.9 are affected. The issue exists in every version of the plugin released prior to 1.2.10.", "description_and_impact": "The Wizit Gateway for WooCommerce plugin contains a flaw in the handle_checkout_redirecturl_response function that fails to enforce authentication and authorization. An attacker can send a crafted HTTP request with a valid order identifier to cancel any WooCommerce order without needing to log in. This capability undermines the integrity of the e\u2011commerce process, allowing fraud or revenue loss by removing orders before payment is processed or altering order status to reflect cancellations.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% raises doubts about the likelihood of exploitation at this time. The vulnerability is listed as not in the CISA KEV catalog, reflecting its low current exploitation probability. Based on the description, the attack vector is inferred to be via a straightforward HTTP request to the checkout redirect URL endpoint, with the prerequisite of knowing an existing order ID. Once the attacker submits the crafted request, the order is canceled immediately, potentially causing financial and operational damage to the merchant."}}}}, "created": "2026-01-26T11:48:18.964491+00:00", "updated": "2026-04-20T21:15:20.619718+00:00", "vendors": ["wizit", "wizit$PRODUCT$gateway_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}