WordPress Plugin Vulnerabilities

PayHere Payment Gateway Plugin for WooCommerce < 2.4.0 - Missing Authorization to Unauthenticated Order Status Modification

Description

The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.

Affects Plugins

Plugin icon
payhere-payment-gateway
Fixed in 2.4.0

References

CVE
CVE-2025-15475
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Md. Moniruzzaman Prodhan (NomanProdhan)
Verified
No
WPVDB ID
b36c4882-d7d8-49b8-8335-6c4912496eaf

Timeline

Publicly Published
2026-01-13 (about 4 months ago)
Added
2026-01-13 (about 4 months ago)
Last Updated
2026-01-23 (about 4 months ago)

Other

Published
Title
Published
2025-09-22
Title
ListingPro Reviews < 2.9.11 - Missing Authorization
Published
2025-12-22
Title
FV Simpler SEO < 1.9.7 - Missing Authorization
Published
2024-04-30
Title
Custom WooCommerce Checkout Fields Editor < 1.3.2 - Missing Authorization
Published
2025-04-04
Title
DethemeKit For Elementor <= 2.1.10 - Missing Authorization
Published
2024-07-23
Title
Social Auto Poster < 5.3.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion