{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15512", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-12T10:05:06.395Z", "datePublished": "2026-01-14T06:40:06.342Z", "dateUpdated": "2026-04-08T17:10:31.747Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:31.747Z"}, "affected": [{"vendor": "aplazopayment", "product": "Aplazo Payment Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status."}], "title": "Aplazo Payment Gateway <= 1.4.3 - Missing Authorization to Unauthenticated Order Status Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457434%40aplazo-payment-gateway&new=3457434%40aplazo-payment-gateway&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-13T17:29:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T20:51:48.581728Z", "id": "CVE-2025-15512", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T20:52:03.376Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15512", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T20:51:48.581728Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T20:51:56.953Z"}}], "cna": {"title": "Aplazo Payment Gateway <= 1.4.2 - Missing Authorization to Unauthenticated Order Status Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "aplazopayment", "product": "Aplazo Payment Gateway", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-15T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2026-01-13T17:29:56.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206"}], "descriptions": [{"lang": "en", "value": "The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-14T06:40:06.342Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15512", "state": "PUBLISHED", "dateUpdated": "2026-01-14T20:52:03.376Z", "dateReserved": "2026-01-12T10:05:06.395Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T06:40:06.342Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status."}, {"lang": "es", "value": "El plugin de la pasarela de pago Aplazo para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n check_success_response() en todas las versiones hasta la 1.4.2, inclusive. Esto hace posible que atacantes no autenticados establezcan cualquier pedido de WooCommerce al estado de 'pago pendiente'."}], "id": "CVE-2025-15512", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T07:16:14.250", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3457434%40aplazo-payment-gateway&new=3457434%40aplazo-payment-gateway&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:23:38.313699+00:00", "value": {"mitigation_remediation": ["Upgrade the Aplazo Payment Gateway to the latest version (\u22651.4.4) which includes the proper authorization check.", "Ensure that only users with the appropriate capabilities (e.g., Shop Manager or higher) can invoke order status changes.", "If a plugin update cannot be applied immediately, remove or restrict the check_success_response endpoint or disable order status modifications for unauthenticated users."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Order Status Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the Aplazo Payment Gateway WordPress plugin up to and including version\u202f1.4.3. Any site that has not upgraded beyond 1.4.3 is susceptible. No other product versions are listed as impacted.", "description_and_impact": "The Aplazo Payment Gateway plugin for WordPress contains a missing capability check in the check_success_response() function, which allows an una user to alter the status of any WooCommerce order to pending payment. This unauthorized modification undermines order integrity and can lead to fraudulent transactions or revenue loss. The weakness is classified as CWE\u2011862, a lack of authorization.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than\u202f1\u202f% suggests a low likelihood of exploitation. The flaw is not currently listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request that triggers the vulnerable function; due to the missing authorization check, an attacker can manipulate order status without authentication."}}}}, "created": "2026-01-15T08:03:55.078029+00:00", "updated": "2026-04-21T16:30:40.679492+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}