{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14880", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T11:31:02.534Z", "datePublished": "2026-01-14T05:28:09.641Z", "dateUpdated": "2026-04-08T16:59:13.217Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:13.217Z"}, "affected": [{"vendor": "netcashpaynow", "product": "Netcash WooCommerce Payment Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed."}], "title": "Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127"}, {"url": "https://plugins.trac.wordpress.org/changeset/3438674/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-13T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-13T17:16:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T15:44:34.559599Z", "id": "CVE-2025-14880", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T19:16:52.390Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T15:44:34.559599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T15:44:37.077Z"}}], "cna": {"title": "Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "netcashpaynow", "product": "Netcash WooCommerce Payment Gateway", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-13T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-13T17:16:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127"}], "descriptions": [{"lang": "en", "value": "The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-14T05:28:09.641Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14880", "state": "PUBLISHED", "dateUpdated": "2026-01-14T19:16:52.390Z", "dateReserved": "2025-12-18T11:31:02.534Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T05:28:09.641Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed."}, {"lang": "es", "value": "El plugin Netcash WooCommerce Payment Gateway para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n handle_return_url en todas las versiones hasta la 4.1.3, inclusive. Esto hace posible que atacantes no autenticados marquen cualquier pedido de WooCommerce como en procesamiento/completado."}], "id": "CVE-2025-14880", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T06:15:53.520", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3438674/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:25:29.558401+00:00", "value": {"mitigation_remediation": ["Update the Netcash WooCommerce Payment Gateway to a version that implements the required capability check for the handle_return_url function.", "If an immediate update is not feasible, block or limit unauthenticated access to the plugin\u2019s return URL endpoint by configuring web server rules or a security plugin to allow access only to authenticated users and verified callbacks.", "Enable detailed logging for order status changes and routinely monitor logs for any unexpected status updates that might indicate attempts to manipulate order states from unauthenticated origins."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated Order Status Modification"}, "threat_synthesis": {"affected_systems": "Sites that have installed Netcash WooCommerce Payment Gateway version 4.1.3 or earlier are vulnerable. The issue applies to the WordPress plugin as shipped in those releases, meaning any WooCommerce installation that relies on that plugin for payment processing is at risk.", "description_and_impact": "The Netcash WooCommerce Payment Gateway plugin for WordPress contains a missing capability check in the handle_return_url function for all releases up to and including 4.1.3. This flaw permits unauthenticated attackers to trigger the return URL endpoint and set any WooCommerce order status to processing or completed, effectively advancing orders without valid authorization. The vulnerability meets the criteria for CWE\u2011862, indicating a missing privileged access check that results in unauthorized modifications of application state.", "risk_and_exploitability": "The CVSS score of 5.3 classifies this as moderate risk, while the EPSS score of <1% indicates a very low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the handle_return_url function can be called via the payment gateway's callback, allowing an unauthenticated requester to manipulate the order status without needing credentials. The absence of a proper capability check means the attacker can control the status change directly, potentially enabling fraudulent order fulfillment or masking unauthorized activity."}}}}, "created": "2026-01-14T10:48:28.675717+00:00", "updated": "2026-04-21T16:30:40.682108+00:00", "vendors": ["netcashpaynow", "netcashpaynow$PRODUCT$netcash_woocommerce_payment_gateway", "wordpress", "wordpress$PRODUCT$wordpress"]}