{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14886", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T12:39:35.788Z", "datePublished": "2026-01-09T04:31:05.133Z", "dateUpdated": "2026-04-08T16:51:07.402Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:07.402Z"}, "affected": [{"vendor": "shoheitanaka", "product": "Japanized for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed."}], "title": "Japanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf3248a-f235-472c-b751-96ac9838b27f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.7.17/includes/gateways/paidy/class-wc-paidy-endpoint.php#L51"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-13T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-18T17:14:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T16:20:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T18:17:25.306119Z", "id": "CVE-2025-14886", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:17:33.884Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14886", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T18:17:25.306119Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:17:29.852Z"}}], "cna": {"title": "Japanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "shoheitanaka", "product": "Japanized for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.7.17"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-13T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-18T17:14:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T16:20:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf3248a-f235-472c-b751-96ac9838b27f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.7.17/includes/gateways/paidy/class-wc-paidy-endpoint.php#L51"}], "descriptions": [{"lang": "en", "value": "The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-09T04:31:05.133Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14886", "state": "PUBLISHED", "dateUpdated": "2026-01-09T18:17:33.884Z", "dateReserved": "2025-12-18T12:39:35.788Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T04:31:05.133Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed."}, {"lang": "es", "value": "El plugin Japanized for WooCommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en el endpoint de la API REST 'order' en todas las versiones hasta la 2.7.17, inclusive. Esto permite a atacantes no autenticados marcar cualquier pedido de WooCommerce como procesado/completado."}], "id": "CVE-2025-14886", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T05:15:57.250", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.7.17/includes/gateways/paidy/class-wc-paidy-endpoint.php#L51"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf3248a-f235-472c-b751-96ac9838b27f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:02:29.217808+00:00", "value": {"mitigation_remediation": ["Upgrade the Japanized for WooCommerce plugin to version 2.7.18 or later, which removes the missing capability check on order status updates.", "If an immediate upgrade is not possible, add a temporary capability filter or restrict the order\u2011status endpoint to authenticated users by inserting a custom snippet that enforces a capability check or disables the endpoint for non\u2011admin roles.", "After applying the fix or temporary measure, monitor WooCommerce logs for unauthorized order status changes and review any orders that may have been altered fraudulently."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Order Status Modification"}, "threat_synthesis": {"affected_systems": "All installations of the Japanized for WooCommerce plugin by Shoheitanaka running version 2.7.17 or earlier on WordPress with WooCommerce. The flaw affects only the plugin's payment gateway endpoint for the paidy gateway, but it impacts any WooCommerce site that uses the affected plugin.", "description_and_impact": "The vulnerability exists in the WooCommerce REST API endpoint that updates order status. A missing capability check allows any visitor, including unauthenticated users, to mark an order as processed or completed.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is unauthenticated HTTP requests to the plugin\u2019s order REST endpoint, which can be made by anyone with access to the site\u2019s public URLs."}}}}, "created": "2026-01-09T13:24:07.873923+00:00", "updated": "2026-04-22T00:15:03.761978+00:00", "vendors": ["shoheitanaka", "shoheitanaka$PRODUCT$japanized_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}