CVE-2025-15511
Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
28 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
rupantorpay · Rupantorpay