{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15511", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-12T09:39:53.146Z", "datePublished": "2026-01-28T11:23:38.266Z", "dateUpdated": "2026-04-08T16:38:11.949Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:11.949Z"}, "affected": [{"vendor": "rupantorpay", "product": "Rupantorpay", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint."}], "title": "Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-27T21:47:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:56:32.037029Z", "id": "CVE-2025-15511", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:56:42.370Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15511", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:56:32.037029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:56:36.576Z"}}], "cna": {"title": "Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "rupantorpay", "product": "Rupantorpay", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-16T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2026-01-27T21:47:14.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172"}], "descriptions": [{"lang": "en", "value": "The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-28T11:23:38.266Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15511", "state": "PUBLISHED", "dateUpdated": "2026-01-28T15:56:42.370Z", "dateReserved": "2026-01-12T09:39:53.146Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T11:23:38.266Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint."}, {"lang": "es", "value": "El plugin Rupantorpay para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n handle_webhook() en todas las versiones hasta la 2.0.0, inclusive. Esto permite que atacantes no autenticados modifiquen los estados de los pedidos de WooCommerce enviando solicitudes manipuladas al endpoint de la API de WooCommerce."}], "id": "CVE-2025-15511", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T12:15:50.213", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:07:00.414406+00:00", "value": {"mitigation_remediation": ["Update the Rupantorpay plugin to the latest available version that includes the missing capability check fix.", "If an update is not yet available, restrict access to the WooCommerce order status API endpoint so that only authenticated, authorized users can modify order statuses, or disable the endpoint that allows status changes entirely.", "Enable detailed logging of all order status updates and monitor logs for unexpected changes to detect and respond to unauthorized activity."], "summary": {"action": "Update Plugin", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Rupantorpay plugin through version 2.0.0, inclusive. Users who have installed any of these affected versions are potentially exposed.", "description_and_impact": "A missing capability check in the handle_webhook() function of the Rupantorpay WordPress plugin allows an unauthenticated attacker to send crafted requests to the WooCommerce order status API endpoint and alter order statuses, such as cancelling, completing, or refunding orders, without any authorization.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw from any network by forging HTTP requests to the WooCommerce order status API endpoint, making the attack vector reachable but currently unlikely to be widely targeted."}}}}, "created": "2026-01-29T09:18:26.926732+00:00", "updated": "2026-04-22T20:15:20.528908+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}