WordPress Plugin Vulnerabilities

WooODT Lite <= 2.5.2 - Unauthenticated Payment Bypass

Description

The WooODT Lite – Delivery & pickup date time location for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to bypass payments for orders.

Affects Plugins

Plugin icon
byconsole-woo-order-delivery-time
No known fix

References

CVE
CVE-2025-69401
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ded4dcdc-cda2-4485-8d90-77b849a1e436

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
benzdeus
Verified
No
WPVDB ID
ae36e261-ae01-4737-b0a1-fecf135e35c1

Timeline

Publicly Published
2026-02-11 (about 3 months ago)
Added
2026-02-17 (about 3 months ago)
Last Updated
2026-02-17 (about 3 months ago)

Other

Published
Title
Published
2024-04-25
Title
Car Dealer < 4.16 - Admin+ Content Injection
Published
2024-06-03
Title
Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update
Published
2024-02-20
Title
Tutor LMS < 2.6.1 - Student+ HTML Injection via Q&A
Published
2026-02-26
Title
Fluent Forms Pro Add On Pack < 6.1.18 - Missing Authorization to Unauthenticated Payment Status modification
Published
2025-11-21
Title
Subscriptions & Memberships for PayPal < 1.1.8 - Unauthenticated Fake Payment Creation