{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15513", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-12T12:10:48.753Z", "datePublished": "2026-01-14T06:40:07.126Z", "dateUpdated": "2026-04-08T17:16:31.375Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:31.375Z"}, "affected": [{"vendor": "floattechnologies", "product": "Float Payment Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed."}], "title": "Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444078%40float-gateway&new=3444078%40float-gateway&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-13T17:33:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T20:30:19.125983Z", "id": "CVE-2025-15513", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T20:30:29.106Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15513", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T20:30:19.125983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T20:30:24.813Z"}}], "cna": {"title": "Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "floattechnologies", "product": "Float Payment Gateway", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-15T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-13T17:33:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444078%40float-gateway&new=3444078%40float-gateway&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:31.375Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15513", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:31.375Z", "dateReserved": "2026-01-12T12:10:48.753Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T06:40:07.126Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed."}, {"lang": "es", "value": "El plugin Float Payment Gateway para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a un manejo inadecuado de errores en la funci\u00f3n verifyFloatResponse() en todas las versiones hasta la 1.1.9, inclusive. Esto permite a atacantes no autenticados marcar cualquier pedido de WooCommerce como fallido."}], "id": "CVE-2025-15513", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T07:16:14.433", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444078%40float-gateway&new=3444078%40float-gateway&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:05:48.682733+00:00", "value": {"mitigation_remediation": ["Upgrade the Float Payment Gateway plugin to version 1.2.0 or later where the error handling in verifyFloatResponse() has been corrected.", "Keep the WordPress installation and all other plugins up\u2011to\u2011date to prevent related vulnerabilities that could be leveraged in conjunction with this flaw.", "Leverage a web application firewall or security plugin to detect and block unauthenticated attempts to alter order status and to log any such incidents for further investigation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Order Status Manipulation"}, "threat_synthesis": {"affected_systems": "Vendor Float Technologies. Product Float Payment Gateway plugin for WordPress. Versions up to and including 1.1.9 are affected. The vulnerability exists in all WordPress sites that use these versions of the plugin.", "description_and_impact": "The Float Payment Gateway plugin for WordPress allows unauthenticated attackers to mark any WooCommerce order as failed due to improper error handling in the verifyFloatResponse() function. This authorization bypass vulnerability (CWE-863) lets an attacker alter order status without possessing valid credentials, potentially triggering refunds, voids, or other financial misrepresentations and undermining the integrity of transactional data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending crafted requests that trigger the verifyFloatResponse() routine, which is reachable without authentication. The lack of proper authorization checks allows the manipulation of order status data, presenting a medium risk if the plugin is active on a live e\u2011commerce site."}}}}, "created": "2026-01-15T08:04:02.057705+00:00", "updated": "2026-04-20T21:15:20.625974+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}