{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15475", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T10:41:20.920Z", "datePublished": "2026-01-14T06:40:08.795Z", "dateUpdated": "2026-04-08T17:28:47.481Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:47.481Z"}, "affected": [{"vendor": "payhere", "product": "PayHere Payment Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold."}], "title": "PayHere Payment Gateway Plugin for WooCommerce <= 2.3.9 - Missing Authorization to Unauthenticated Order Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440771%40payhere-payment-gateway&new=3440771%40payhere-payment-gateway&sfp_email=&sfph_mail=#file10"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-13T17:29:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T16:53:33.624707Z", "id": "CVE-2025-15475", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T17:14:32.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T16:53:33.624707Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T16:54:25.400Z"}}], "cna": {"title": "PayHere Payment Gateway Plugin for WooCommerce <= 2.3.9 - Missing Authorization to Unauthenticated Order Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "payhere", "product": "PayHere Payment Gateway", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-13T17:29:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440771%40payhere-payment-gateway&new=3440771%40payhere-payment-gateway&sfp_email=&sfph_mail=#file10"}], "descriptions": [{"lang": "en", "value": "The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:47.481Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15475", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:47.481Z", "dateReserved": "2026-01-07T10:41:20.920Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T06:40:08.795Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold."}, {"lang": "es", "value": "El plugin de pasarela de pago PayHere para WooCommerce plugin para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una l\u00f3gica de validaci\u00f3n incorrecta en la funci\u00f3n check_payhere_response en todas las versiones hasta la 2.3.9, inclusive. Esto hace posible que atacantes no autenticados cambien el estado de pedidos pendientes de WooCommerce a pagado/completado/en espera."}], "id": "CVE-2025-15475", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T07:16:14.063", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440771%40payhere-payment-gateway&new=3440771%40payhere-payment-gateway&sfp_email=&sfph_mail=#file10"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:03:58.638309+00:00", "value": {"mitigation_remediation": ["Upgrade the PayHere Payment Gateway Plugin to the latest released version (>= 2.4.0 or later).", "If an upgrade is not immediately feasible, restrict external access to the PayHere response endpoint so that only authenticated administrators can trigger status changes, for example by adding firewall rules or using .htaccess restrictions.", "As a temporary measure, manually update order statuses to the correct state via the WooCommerce admin panel or adjust the database directly after confirming legitimate payments."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated order status modification"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the PayHere Payment Gateway Plugin for WooCommerce, specifically versions 2.3.9 and earlier. Owners of WordPress sites running any version up to 2.3.9 that utilize this plugin are potentially exposed.", "description_and_impact": "The PayHere Payment Gateway plugin for WooCommerce allows an unauthenticated attacker to alter the status of pending orders, changing them to paid, completed or on\u2011hold. This flaw originates from insecure validation logic in the check_payhere_response function. The resulting impact is an integrity breach that enables an attacker to prematurely mark orders as paid, potentially bypassing payment processing and causing financial loss or fraud.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% signals a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to the plugin\u2019s payment response handler, though the exact method is not detailed in the description. This flaw exposes the order data integrity but does not grant arbitrary command execution or data exfiltration."}}}}, "created": "2026-01-15T08:03:58.430822+00:00", "title": "Unauthorized Order Status Modification Vulnerability in PayHere Payment Gateway", "updated": "2026-04-20T21:15:20.624008+00:00", "vendors": ["payhere", "payhere$PRODUCT$payment_gateway_plugin_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}