WordPress Plugin Vulnerabilities

Campay Woocommerce Payment Gateway < 1.2.3 - Unauthenticated Payment Bypass

Description

The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.

Affects Plugins

Plugin icon
campay-api
Fixed in 1.2.3

References

CVE
CVE-2025-12883
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f12fa00-6108-4bd4-9310-8558211f4d0f

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Md. Moniruzzaman Prodhan (NomanProdhan)
Verified
No
WPVDB ID
f80969a3-516b-497b-86d8-0bf1e78d9142

Timeline

Publicly Published
2025-12-11 (about 3 months ago)
Added
2025-12-11 (about 3 months ago)
Last Updated
2025-12-20 (about 3 months ago)

Other

Published
Title
Published
2022-11-14
Title
TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR
Published
2021-03-31
Title
Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR
Published
2024-09-24
Title
REST API TO MiniProgram < 4.7.6 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
Published
2025-02-06
Title
Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 - Authenticated (Contributor+) Post Disclosure
Published
2024-09-13
Title
WooCommerce Multiple Free Gift <= 1.2.3 - Insufficient Server-Side Validation to Arbitrary Gift Adding