Razorpay for WooCommerce < 4.7.9 – Unauthenticated Order Modification | CVE 2025-14294 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.

Affects Plugins

Fixed in 4.7.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/163d42df-148f-431c-891e-dbdc09bf2ae1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Marcin Dudek (dudekmar)

Verified

No

WPVDB ID

cc0f9a6d-6ca2-4efc-9b76-d7a0668d015b

Timeline

Publicly Published

2026-02-18 (about 3 months ago)

Added

2026-02-18 (about 3 months ago)

Last Updated

2026-02-18 (about 3 months ago)

Other

Published

Title

Published

2025-11-24

Title

Blog2Social < 8.7.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing

Published

2021-11-15

Title

Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls

Published

2026-05-13

Title

My Calendar < 3.7.10 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter

Published

2026-02-11

Title

New User Approve < 3.2.1 - Missing Authorization

Published

2025-12-20

Title

Gutenverse Form < 2.3.2 - Missing Authorization